diff --git a/.claude/settings.local.json b/.claude/settings.local.json
new file mode 100644
index 0000000000..1712d76faf
--- /dev/null
+++ b/.claude/settings.local.json
@@ -0,0 +1,21 @@
+{
+ "permissions": {
+ "allow": [
+ "WebFetch(domain:community.netwrix.com)",
+ "WebFetch(domain:community.netwrix.com)",
+ "Bash(git checkout:*)",
+ "Bash(cp:*)",
+ "Bash(npm install)",
+ "Bash(npm start)",
+ "Bash(npm run start:*)",
+ "Bash(npx docusaurus start:*)",
+ "Bash(mkdir:*)",
+ "Bash(rm:*)",
+ "Bash(git add:*)",
+ "Bash(git commit:*)",
+ "Bash(find:*)",
+ "Bash(ls:*)"
+ ],
+ "deny": []
+ }
+}
\ No newline at end of file
diff --git a/.gitignore b/.gitignore
index a7608d5c45..d67885be6b 100644
--- a/.gitignore
+++ b/.gitignore
@@ -18,6 +18,9 @@ packages
.env.test.local
.env.production.local
+# Claude settings
+.claude/settings.local.json
+
npm-debug.log*
yarn-debug.log*
yarn-error.log*
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/_category_.json b/docs/auditor/10.8/accessreviews/_category_.json
new file mode 100644
index 0000000000..9b74af87fe
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Access Reviews",
+ "position": 100,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "accessreviews"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/accessreviews.md b/docs/auditor/10.8/accessreviews/accessreviews.md
new file mode 100644
index 0000000000..ec6f66bf6a
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/accessreviews.md
@@ -0,0 +1,156 @@
+---
+title: "Access Reviews"
+description: "Access Reviews"
+sidebar_position: 100
+---
+
+# Access Reviews
+
+Netwrix Auditor supports integration with Netwrix Auditor Access Reviews, which enables business
+owners to conduct resource and group reviews and recommend changes. The integration is available for
+the following data sources:
+
+- Active Directory
+- Dell Data Storage (only Unity family)
+- NetApp
+- Nutanix Files
+- Qumulo
+- SharePoint Online
+- Synology
+- Windows File Servers
+
+## Getting Started
+
+This workflow assumes you already have Netwrix Auditor installed with configured monitoring plans
+for a supported data source.
+
+**NOTE:** Access Reviews is a separately licensed product and is not included with Netwrix Auditor.
+Make sure that you have the Access Reviews license enabled in Auditor.
+
+See the [Licenses](/docs/auditor/10.8/admin/settings/licenses.md) topic for additional information.
+
+_Remember,_ there is one single Access Review license for all data sources that can send data to the
+application.
+
+Follow the steps to use Netwrix Auditor Access Reviews in conjuction with Auditor.
+
+**Step 1 –** Install Access Reviews on the same computer where Netwrix Auditor is installed. See the
+[Installation Overview](/docs/auditor/10.8/accessreviews/installation/overview.md) topic for prerequisites and
+additional information.
+
+**Step 2 –** Configure Access Reviews. The Configuration interface is only available to users with
+the Administrator role. See the [Administrator Overview](/docs/auditor/10.8/accessreviews/admin/overview.md) topic
+for configuration settings and enabling user access.
+
+**Step 3 –** Use the Access reviews configuration tool to setup the data flow from the Auditor
+database to the Access Reviews database. See the
+[Select Data Sources](/docs/auditor/10.8/accessreviews/installation/accessreviewsconfiguration.md) topic for additional information.
+
+**NOTE:** Data upload speed depends on the amount of collected data and Auditor collectors
+configuration.
+
+**Step 4 –** Configure resource ownership through the Access Reviews Console. The Resource Owners
+interface is available to users with either the Security Team or Administrator role. Managing
+ownership is core component for the Access Reviews workflow. See the
+[Resource Owners Overview](/docs/auditor/10.8/accessreviews/resourceowners/overview.md) topic for additional
+information.
+
+**NOTE:** The [Owners & Access Reviews](/docs/auditor/10.8/accessreviews/owneroverview/owneroverview.md) topic and
+subtopics are written for the assigned owners. You can distribute the URL to this topic or download
+a PDF to be distributed to your assigned resource owners.
+
+**Step 5 –** Configure and run reviews. The Entitlement Reviews interface is available to users with
+either the Security Team or Administrator role. See the
+[Reviews Overview](/docs/auditor/10.8/accessreviews/entitlementreviews/overview.md) topic for additional
+information.
+
+Netwrix Auditor Access Reviews is now configured and ready to use.
+
+## Considerations & Limitations
+
+Review the following considerations:
+
+1. Enabling State-in-Time data collection for your monitoring plans option is not required for the
+ integration works properly.
+2. The data collected by Auditor is updated at least once a day.
+3. If a monitoring plan or a data source with enabled integration is deleted, all collected data
+ will be removed from the Access Reviews database.
+4. If there are errors in upload of data to the Access Reviews database, these errors are reflected
+ in the Netwrix Auditor Health Log and text log files; status of items and data sources in Auditor
+ is not affected by these errors.
+5. Permissions-related considerations:
+
+ - For Windows File Servers, permission data for all items in this data source is sent to the
+ Access Reviews application;
+ - Only effective top-level permissions are sent (share+NTFS);
+ - Permission data is sent per file server (entirely for each server);
+ - Transfer of permission data to the Access Reviews application is started when you enable the
+ integration for a data source.
+
+ ## Initial Configuration
+
+ Next, configure the Access Reviews for your environment:
+
+ - Console Users — Grant users access to the application starting with an Administrator account.
+ There are two levels of access: Administrator and Security Team. See the
+ [Console Access Page](/docs/auditor/10.8/accessreviews/admin/configuration/consoleaccess.md) topic for
+ information.
+
+ - Optionally, disable the Builtin Administrator account. See the
+ [Modify the Builtin Administrator Account](/docs/auditor/10.8/accessreviews/admin/configuration/consoleaccess.md#modify-the-builtin-administrator-account)
+ topic for additional information.
+
+ - Notification — Configure the Notification settings required in order for the application to
+ send email. See the
+ [Notifications Page](/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md) topic for
+ information.
+
+ ## Enable Console Users
+
+ Access Reviews Console users granted one of the available roles should be notified.
+
+ **_RECOMMENDED:_** The notification should include:
+
+ - Why your organization is using Netwrix Auditor Access Reviews.
+ - What they will be doing in the Access Reviews Console.
+ - How to log into the Access Reviews Console, specifically what URL and credentials to use.
+
+ You should also provide links to the appropriate topics based on the user's role:
+
+ - Security Team — Need topics that align to the work the will be doing in the Access Reviews
+ Console:
+
+ - Ownership Administrator — Send the URL link for the
+ [Resource Owners Overview](/docs/auditor/10.8/accessreviews/resourceowners/overview.md) topic.
+ - Review Administrator — Send the URL link for the
+ [Reviews Overview](/docs/auditor/10.8/accessreviews/entitlementreviews/overview.md) topic.
+
+ - Administrator — Send the URL link for the
+ [Administrator Overview](/docs/auditor/10.8/accessreviews/admin/overview.md) topic.
+
+ ## Resource Ownership Configuration
+
+ Ownership of resources must be assigned in order to use the Access Reviews workflow:
+
+ - Resource Ownership — Assign ownership for resources to be managed through the application. See
+ the [Resource Owners Interface](/docs/auditor/10.8/accessreviews/resourceowners/interface/interface.md) topic for
+ additional information.
+ - Enable Owners — Send a notification to your owners about resource ownership with the
+ application. See the
+ [Notification to Owners](/docs/auditor/10.8/accessreviews/resourceowners/overview.md#notification-to-owners)
+ topic for additional information.
+
+ ## Access Reviews Workflow
+
+ The Access Reviews applicaton runs attestations on resources and groups with the assigned
+ owners. The workflow consists of:
+
+ - Reviews — Configure reviews for resource Access or group Membership .
+ - Owner Performs Review — Owners process the review, potentially recommending changes
+ - Review Administrator Approval — Review and process owner recommended changes
+
+ **_RECOMMENDED:_** Set expectations for response time from owners.
+
+ Reviews can be run multiple times, maintaining a historical record for each instance. See the
+ [Reviews Overview](/docs/auditor/10.8/accessreviews/entitlementreviews/overview.md) topic for additional
+ information.
diff --git a/docs/auditor/10.8/accessreviews/admin/_category_.json b/docs/auditor/10.8/accessreviews/admin/_category_.json
new file mode 100644
index 0000000000..bdd262d9c1
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Administrator Overview",
+ "position": 20,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/admin/additionalconfig/_category_.json b/docs/auditor/10.8/accessreviews/admin/additionalconfig/_category_.json
new file mode 100644
index 0000000000..a8a0507cdf
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/additionalconfig/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Additional Configuration Options",
+ "position": 40,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/admin/additionalconfig/emailtemplates.md b/docs/auditor/10.8/accessreviews/admin/additionalconfig/emailtemplates.md
new file mode 100644
index 0000000000..78d013597c
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/additionalconfig/emailtemplates.md
@@ -0,0 +1,79 @@
+---
+title: "Email Templates"
+description: "Email Templates"
+sidebar_position: 10
+---
+
+# Email Templates
+
+The HTML templates used to format notification email can be customized. These templates are designed
+to make the message viewable within an email client. It is recommended to edit text and layout as
+desired, but NOT to embed new images or logos. The following table shows the notification email
+templates and describes the purpose of each.
+
+| Template Name | Message Type Description |
+| --------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
+| EntitlementReviewReminder | Reminds owners of pending reviews; manually sent by a Review Administrator from the Entitlement Reviews interface |
+| OwnershipChangeNotification | Sent to owners when assigned ownership is changed for a resource which already has pending reviews |
+| OwnershipConfirm | Sent to owners to confirm or decline ownership of a given resource; manually sent by an Ownership Administrator from the Resource Owners interface |
+| ReminderDigest | Weekly reminder configured by Administrators on the Notifications page of the Configuration interface to owners with pending reviews |
+
+While customizing the template content, take note of the inline Substitution Tokens. These exist to
+provide the message with dynamic content, i.e. inserting values and strings from data in line with
+the static portion of the message body. These Substitution Tokens begin and end with the “@” symbol,
+e.g. @UserName@.
+
+Substitution Tokens are only valid for certain Notification message templates. Below is a table of
+the Substitution Tokens, the value or string they represent, and the message templates in which they
+may be used.
+
+| Substitution Token | Description | Applicable Template(s) |
+| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ |
+| @LoginUrl@ | URL that allows a user to access the default (login) page | OwnershipChangeNotification ReminderDigest |
+| @ResourceDescription@ | Description of resource - To use the resource's description in emails instead of the path, replace @ResourcePath@ with @ResourceDescription@ | OwnershipConfirm ReminderDigest |
+| @ResourcePath@ | Path of the current resource - To use the resources’ description in emails instead of the path, replace @ResourcePath@ with @ResourceDescription@ | OwnershipConfirm ReminderDigest |
+| @ResourceType@ | Type of resource | OwnershipConfirm ReminderDigest |
+| @ResourceUrl@ | URL specifically created to respond to a request | EntitlementReviewReminder OwnershipConfirm |
+| @ResponseCount@ | Numerically formatted count of pending reviews | ReminderDigest |
+| @ReviewCount@ | Numerically formatted count of pending reviews | ReminderDigest |
+
+## Customize Email Templates
+
+Email templates are shipped in a ZIP file and stored in the Access Reviews installation directory:
+
+...\Netwrix\Access Reviews
+
+Follow the steps to customize the email templates.
+
+**NOTE:** To successfully modify these Notifications email templates, a familiarity with basic HTML
+is necessary.
+
+
+
+**Step 1 –** Navigate to the Access Reviews installation directory.
+
+**Step 2 –** Unzip the `Templates.zip` file and save the contents to a folder within this directory
+named `Templates`.
+
+**CAUTION:** The customized email templates must be in the `Templates` folder within the
+installation directory to be preserved during future application upgrades.
+
+
+
+**Step 3 –** Locate the desired HTML message template.
+
+**Step 4 –** Open the file with a text editor, e.g. Notepad, and customize the email body.
+
+**NOTE:** Using a tool other than a text editor to edit HTML files, such as a WYSIWYG web page
+editor which may drastically alter the underlying HTML code, is not supported.
+
+**Step 5 –** Email subject lines can be edited by changing the text between the opening ``
+tag and the closing `` tag.
+
+**Step 6 –** After making changes, save the file and view it within a web browser to see what the
+changes will look like. The Substitution Tokens will display without supplied values.
+
+**Step 7 –** After making the desired changes, save and close the text editor. Then re-launch the
+application.
+
+The modifications to the HTML email templates are in use by the notification emails.
diff --git a/docs/auditor/10.8/accessreviews/admin/additionalconfig/overview.md b/docs/auditor/10.8/accessreviews/admin/additionalconfig/overview.md
new file mode 100644
index 0000000000..0518ba21f9
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/additionalconfig/overview.md
@@ -0,0 +1,13 @@
+---
+title: "Additional Configuration Options"
+description: "Additional Configuration Options"
+sidebar_position: 40
+---
+
+# Additional Configuration Options
+
+In addition to the settings that are available on the Configuration interface, the following
+configurations and customizations can be done by Administrators:
+
+- [Email Templates](/docs/auditor/10.8/accessreviews/admin/additionalconfig/emailtemplates.md)
+- [Timeout Parameter](/docs/auditor/10.8/accessreviews/admin/additionalconfig/timeoutparameter.md)
diff --git a/docs/auditor/10.8/accessreviews/admin/additionalconfig/timeoutparameter.md b/docs/auditor/10.8/accessreviews/admin/additionalconfig/timeoutparameter.md
new file mode 100644
index 0000000000..25b9fef5ae
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/additionalconfig/timeoutparameter.md
@@ -0,0 +1,32 @@
+---
+title: "Timeout Parameter"
+description: "Timeout Parameter"
+sidebar_position: 20
+---
+
+# Timeout Parameter
+
+A user session will end when the timeout parameter for inactivity has been reached, and the user
+will be logged out. By default this is set to 15 minutes.
+
+The timeout parameter is configured within the `AccessInformationCenter.Service.exe.Config` file in
+the Access Reviews installation directory:
+
+...\Netwrix\Access Reviews
+
+Follow the steps to modify the timeout parameter.
+
+**Step 1 –** Open the `AccessInformationCenter.Service.exe.Config` file with a text editor, e.g.
+Notepad.
+
+
+
+**Step 2 –** Change the value for the `AuthSessionTimeout` parameter to the desired number of
+minutes. For example:
+
+
+
+**Step 3 –** Save and close the file.
+
+A user session times out after the number of minutes specified for inactivity, for example after 20
+minutes.
diff --git a/docs/auditor/10.8/accessreviews/admin/configuration/_category_.json b/docs/auditor/10.8/accessreviews/admin/configuration/_category_.json
new file mode 100644
index 0000000000..5d79b0cfd1
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/configuration/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Configuration Interface Overview",
+ "position": 30,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/admin/configuration/activedirectory.md b/docs/auditor/10.8/accessreviews/admin/configuration/activedirectory.md
new file mode 100644
index 0000000000..9f697ae791
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/configuration/activedirectory.md
@@ -0,0 +1,51 @@
+---
+title: "Active Directory Page"
+description: "Active Directory Page"
+sidebar_position: 20
+---
+
+# Active Directory Page
+
+The Access Reviews application needs to be connected to Active Directory for user authentication and
+to assign resource ownership in the Resource Owners interface. The Active Directory service account
+is configured on the Active Directory page of the Configuration interface. Read access to Active
+Directory is required for this purpose.
+
+The Active Directory service account is configured during installation based on the account used for
+connecting to the database. If your Database service account uses:
+
+- SQL Server authentication credentials — Active Directory service account is configured to use the
+ Local System, or computer account, which typically has Read rights to the domain
+- Windows authentication credentials — The same domain credentials are also used for the Active
+ Directory service account
+
+
+
+There are two options for the type of Active Directory service account:
+
+- Use the account running this service — Local System, or computer account (NT AUTHORITY\SYSTEM)
+- Use the following Active Directory account — Uses a domain account with the required permissions
+ to Active Directory. The supplied User Name [DOMAIN\USERNAME] and Password are used as the Active
+ Directory service account.
+
+Multiple Domains
+
+The **Allow authentication from the following domains** option is where additional domains can be
+introduced to the Access Reviews Console. By default the domain where the Access Reviews Console
+resides is listed. Domains that are in the same forest or have a trust can be added in a
+comma-separated list.
+
+- For example: nwxtech.com,example.com
+
+_Remember,_ click **Save** when any changes are made to this page.
+
+## Update the Active Directory Service Account Password
+
+Follow the steps to update the Active Directory service account password. These steps only apply for
+the **Use the following Active Directory account** option.
+
+**Step 1 –** On the Active Directory page, enter the new password in the correct field.
+
+**Step 2 –** Click **Save**. Then click **OK** to confirm.
+
+The Active Directory service account password has been updated.
diff --git a/docs/auditor/10.8/accessreviews/admin/configuration/consoleaccess.md b/docs/auditor/10.8/accessreviews/admin/configuration/consoleaccess.md
new file mode 100644
index 0000000000..8c6c87958b
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/configuration/consoleaccess.md
@@ -0,0 +1,145 @@
+---
+title: "Console Access Page"
+description: "Console Access Page"
+sidebar_position: 10
+---
+
+# Console Access Page
+
+Console access is configured through the Configuration > Console Access page. Adding users to the
+Access Reviews Console requires the Active Directory service account to be configured.
+
+
+
+There are two levels of access, or roles, which can be granted to domain users or groups:
+
+- Administrator – Role allows access to all interfaces including the Configuration interface
+- Security Team – Role allows access to all interfaces except for the Configuration interface
+
+ - In the Entitlement Reviews interface, this role can only view reviews that the logged in user
+ has created.
+ - Access can be limited by resource types (File System, SharePoint, or Active Directory)
+
+**CAUTION:** Before disabling the Builtin Administrator account, it is necessary to first assign at
+least one domain user account to the Administrator role. Login with another Administrator account to
+disable the Builtin Administrator. Failure to do this could result in being locked-out of the
+Configuration interface. As an alternative to disabling this account, the password can be changed.
+See the Modify the Builtin Administrator Account topic for additional information.
+
+Once users have been granted console access, they can login with their domain credentials. Console
+access is not a requirement for owners to complete Access Reviews. See the
+[URL & Login](/docs/auditor/10.8/accessreviews/admin/login.md) topic for information on how users will log in and where they are
+directed after login based on their assigned role or lack of role.
+
+## Add Console Users
+
+Follow the steps to grant domain users or groups console access.
+
+
+
+**Step 1 –** In the Configuration interface on the Console Access page, click Add. The Console
+Access wizard opens.
+
+
+
+**Step 2 –** On the Select Trustee page, enter the following information and click Next:
+
+- Domain — If the Access Reviews Console has been configured for multiple domains, use the drop-down
+ menu to select the desired domain
+- Search — Begin typing the sAMAccountName or display name and the field will auto-populate options
+ from Active Directory sAMAccountName
+
+
+
+**Step 3 –** On the Select Access page, enter the following information and click **Finish**:
+
+- Select a role for this trustee – Select a role from the drop down list:
+
+ - Unlimited Access — The Administrator role grants unlimited access
+ - Limited Access — All other roles can be granted limited access
+
+- Allow access to the following resource — When enabled, users can be limited to only having
+ visibility into data for the selected types of resources. Check the boxes for the type of resource
+ data to be made available to this user.
+- Access is enabled – A user's account must be enabled in order to log into the console. Unchecking
+ this option allows you to configure access to be granted at a future time.
+
+
+
+**Step 4 –** The new user displays in the list on the Console Access page. Repeat these steps for
+each trustee to be granted console access.
+
+Once the first user with the role of Administrator has been added, the Builtin Administrator account
+can be disabled by that user. See the Modify the Builtin Administrator Account topic for additional
+information.
+
+## Modify Console Users
+
+Follow the steps to modify a user’s console access.
+
+**NOTE:** These steps are for modifying domain users with console access roles and do not apply to
+the Builtin Administrator account. See the Modify the Builtin Administrator Account topic for
+additional information.
+
+**Step 1 –** In the Configuration interface on the Console Access page, select the user to be
+modified and click Modify. The Console Access wizard opens to the Select Access page.
+
+
+
+**Step 2 –** Modify the desired settings and click **Finish**:
+
+- Select a role for this trustee – Select a role from the drop down list:
+
+ - Unlimited Access — The Administrator role grants unlimited access
+ - Limited Access — All other roles can be granted limited access
+
+- Allow access to the following resource — When enabled, users can be limited to only having
+ visibility into data for the selected types of resources. Check the boxes for the type of resource
+ data to be made available to this user.
+- Allow access to the following servers — When enabled, users can be limited to only having
+ visibility into data for specific servers. Begin typing server names and the field will
+ auto-populate with known servers from scanned data. A resource type appears in parentheses after
+ the host name for quick reference.
+- Access is enabled – A user's account must be enabled in order to log into the console. Unchecking
+ this option allows you to configure access to be granted at a future time.
+
+Any modifications to the user’s role are visible in the list on the Console Access page.
+
+## Delete Console Users
+
+**CAUTION:** Confirmation is not requested when deleting users. An alternative to deleting a console
+user is to disable their access. See the Modify Console Users topic for additional information.
+
+Follow the steps to remove a user’s configured console access.
+
+
+
+**Step 1 –** In the Configuration interface on the Console Access page, select the user.
+
+**Step 2 –** Click Remove.
+
+The user is removed from the list on the Console Access page.
+
+## Modify the Builtin Administrator Account
+
+The Builtin Administrator account can be disabled or its password can be changed. Follow the steps
+to modify this account.
+
+
+
+**Step 1 –** In the Configuration interface on the Console Access page, select the Builtin
+Administrator account and click **Modify**. The Builtin Administrator window opens.
+
+**Step 2 –** Modify the account as desired and click **OK**:
+
+- Access is enabled — Indicates whether the account can be used to login
+- Change Password — Allows you to change the password for this Builtin Administrator account. Check
+ the box and enter the new password in both entry fields. The password must be eight or more
+ characters long.
+
+The modifications to the Builtin Administrator are processed.
+
+**NOTE:** The new password is encrypted in the `AccessInformationCenter.Service.exe.Config` file, in
+the `AuthBuiltinAdminPassword` parameter. If you forget the Admin password, you can clear the
+`AuthBuiltinAdminPassword` value in the `AccessInformationCenter.Service.exe.Config` file. Then use
+the default first launch login credentials to set a new password.
diff --git a/docs/auditor/10.8/accessreviews/admin/configuration/database.md b/docs/auditor/10.8/accessreviews/admin/configuration/database.md
new file mode 100644
index 0000000000..09d7654a58
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/configuration/database.md
@@ -0,0 +1,55 @@
+---
+title: "Database Page"
+description: "Database Page"
+sidebar_position: 40
+---
+
+# Database Page
+
+The Access Reviews application must have access to the SQL Server hosting the database. It is
+configured during installation. If it is necessary to modify these setting after installation, that
+is done on the Database Page of the Configuration interface.
+
+
+
+SQL Server database information:
+
+- Server Name – Host name of the SQL Server serving the database in one of the following formats:
+
+ - No named instance: [SQLHostName]
+
+ - Example: NT-SQL02
+
+ - Named instance: [SQLHostName]\[SQLInstanceName]
+
+ - Example: NT-SQL02\Netwrix
+
+ - No named instance with non-standard port: [SQLHostName],[PortNumber]
+
+ - Example: NT-SQL02,1392
+
+ - Named instance with non-standard port: [SQLHostName]\[SQLInstanceName],[PortNumber]
+
+ - Example: NT-SQL02\Netwrix,1392
+
+- Database – Name of the SQL database
+
+Database service account information:
+
+- Use the windows account running this service — Local System, or computer account (NT
+ AUTHORITY\SYSTEM)
+- Use the following SQL account – Uses SQL Authentication to the database. Provide the properly
+ provisioned SQL credentials for the database
+
+_Remember,_ click **Save** when any changes are made to this page.
+
+## Update the Database Service Account Password
+
+Follow the steps to update the Database service account password. These steps only apply for the SQL
+Authentication option.
+
+**Step 1 –** On the Database page, enter the new password in the correct field.
+
+**Step 2 –** Click **Save**. Then click **OK** to confirm.
+
+The Database service account password has been updated.
diff --git a/docs/auditor/10.8/accessreviews/admin/configuration/diagnostics.md b/docs/auditor/10.8/accessreviews/admin/configuration/diagnostics.md
new file mode 100644
index 0000000000..bd7ec27de8
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/configuration/diagnostics.md
@@ -0,0 +1,32 @@
+---
+title: "Diagnostics Page"
+description: "Diagnostics Page"
+sidebar_position: 50
+---
+
+# Diagnostics Page
+
+Download logs and enable debug log level for troubleshooting with Netwrix Support on the Diagnostics
+page of the Configuration interface.
+
+
+
+When requested by [Netwrix Support](https://www.netwrix.com/support.html), click Download Logs to
+download the archive of all application logs.
+
+## Debug Logs
+
+When requested by [Netwrix Support](https://www.netwrix.com/support.html) , follow the steps to
+provide debug logs.
+
+**Step 1 –** On the Diagnostics page, check the Enable debug logging box.
+
+**Step 2 –** Click **Save**.
+
+**Step 3 –** Reproduce the issue you are having.
+
+**Step 4 –** On the Diagnostics page, click **Download Logs**.
+
+The downloaded logs have the debug logging information and can be sent to
+[Netwrix Support](https://www.netwrix.com/support.html). When your issue is resolved, do not forget
+to turn off Debug logs.
diff --git a/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md b/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md
new file mode 100644
index 0000000000..ac1c99dcc8
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md
@@ -0,0 +1,122 @@
+---
+title: "Notifications Page"
+description: "Notifications Page"
+sidebar_position: 30
+---
+
+# Notifications Page
+
+The Access Reviews application uses the Simple Mail Transfer Protocol (SMTP) to send email messages.
+SMTP server information and several messaging options can be set through the Configuration >
+Notifications page.
+
+
+
+At the top, the SMTP server and email security settings are configured. The Notification options is
+where you configure the sender information, and other optional settings. The Reminders section is
+for configuring weekly reminders for owners with outstanding reviews.
+
+## Configure SMTP Server Settings
+
+SMTP server information is supplied and modified on the Notifications page. Follow the steps to
+configure or modify the SMTP settings.
+
+
+
+**Step 1 –** In the Configuration interface, select the Notifications page.
+
+**Step 2 –** Enter the SMTP Server Name in the textbox. This should be the fully qualified domain
+name (mail.example.com) or IP Address.
+
+**Step 3 –** If needed, modify the Port used by your SMTP server to listen for new messages.
+Historically, the default for SMTP has been port 25. However, if a secure connection is desired
+(SSL/TLS), the SMTPS port needs to be changed, traditionally 465. Alternately, environments with
+off-premises or outsourced email service, e.g. gmail.com, hotmail.com, etc., may have to supply a
+different submission port, traditionally port 587. Ultimately it is an organization’s
+email/messaging administrator who will know the proper value for the SMTP port.
+
+**Step 4 –** SMTP security settings:
+
+- Use a secure connection for this server (SSL/TLS) – Allows for the use of a secure transport layer
+ for message relay requests (submissions) and authentication requests
+- Enforce certificate validation to ensure security — Forces the use of certificate validation
+- This server requires authentication – Enable if the identified SMTP server requires
+ authentication. Some SMTP servers traditionally have been configured to deny all but anonymous
+ relay requests, i.e. an attempt to authenticate results in a denial, while an anonymous request is
+ not denied. Select this checkbox, and then select one of the following radio buttons if
+ authentication is required:
+
+ - Use the account running this service
+
+ - To use this option, the SMTP server must be configured to use Integrated Windows
+ Authentication (IWA).
+ - Select this radio button if the configured Active Directory service account will also be
+ used to authenticate to the SMTP server.
+
+ - Use the following AD Account
+
+ - To use this option, the SMTP server must be configured to use Integrated Windows
+ Authentication (IWA).
+ - Select this radio button to specify either domain account or a traditional SMTP account
+ and password to authenticate to the SMTP server.
+
+
+
+**Step 5 –** Click **Test Settings** to ensure a connection to the SMTP server. The Test Settings
+window opens. Enter a valid email address and click **OK**.
+
+
+
+**Step 6 –** If the SMTP settings are configured correctly, you receive a successful message. Click
+**OK** to close the Testing your settings window. The test recipient should have recieved a test
+email.
+
+**Step 7 –** Click **Save**. Then click **OK** to confirm.
+
+The Access Reviews Console is now configured to send email. See the following topics for additional
+Notification options.
+
+## Notification Options
+
+Once the SMTP server is configured, there are additional options. Only the Reply-To field must be
+populated:
+
+
+
+- Reply-To — The email address that receives responses to notifications sent by the application.
+ This can be a “no reply” address.
+- Reply-Display — Optionally enter a display name for the sender
+- Carbon-Copy — Optionally set additional email addresses to be CC’d on all email messages sent
+- Server Name Alias — Optionally provide an alternate name for the URL link to the Access Reviews
+ Console. By default, the URL is the hosting server name and port, e.g. NEWYORKSRV10:81. If you do
+ not want the server name visible in the URL, provide an alias here, e.g. AIC.NWXTECH.com.
+- Send notifications to all resource owners — This option applies only to resources with multiple
+ assigned owners. When unchecked, notifications are only sent to the Primary Owner. Check this
+ option to send owner notifications to all assigned owners.
+
+_Remember,_ click **Save** after making modifications to the Notification settings.
+
+## Reminders
+
+Resource Owners receive notification email when there are new pending tasks associated to their
+resources. You can also set up automated weekly reminders for outstanding pending tasks. Follow the
+steps to configure weekly reminders to resource owners.
+
+
+
+**Step 1 –** In the Configuration interface, select the Notifications page and scroll down to the
+Reminders section.
+
+**Step 2 –** Check the Send reminders to owners with pending events option.
+
+**Step 3 –** Set the date and time for when the reminder will be sent:
+
+- Day of the week – Select the day of the week from the drop-down menu
+- Time of day – Click on the field to open a clock window. Set the time of day reminders will be
+ sent, e.g. 12:00 AM
+
+**Step 4 –** Click **Save**. Then click **OK** to confirm.
+
+Assigned resource owners now receive weekly reminders of pending events. The **Notifications were
+last sent on** field will populate with the date timestamp for when the last set of reminders were
+sent.
diff --git a/docs/auditor/10.8/accessreviews/admin/configuration/overview.md b/docs/auditor/10.8/accessreviews/admin/configuration/overview.md
new file mode 100644
index 0000000000..7e1fc53a1a
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/configuration/overview.md
@@ -0,0 +1,22 @@
+---
+title: "Configuration Interface Overview"
+description: "Configuration Interface Overview"
+sidebar_position: 30
+---
+
+# Configuration Interface Overview
+
+The Configuration interface is available only to users with the Administrator role. It is opened by
+the **Configuration** tab.
+
+
+
+It has the following pages:
+
+- [Console Access Page](/docs/auditor/10.8/accessreviews/admin/configuration/consoleaccess.md) – Grant users console access
+- [Active Directory Page](/docs/auditor/10.8/accessreviews/admin/configuration/activedirectory.md) – Configure the Active Directory service account used
+ to add console users.
+- [Notifications Page](/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md) – Configure the SMTP server, email security settings,
+ notification options, and owner reminder settings
+- [Database Page](/docs/auditor/10.8/accessreviews/admin/configuration/database.md) – Configure the connection to the database
+- [Diagnostics Page](/docs/auditor/10.8/accessreviews/admin/configuration/diagnostics.md) – Download logs and enable debug log level for troubleshooting
diff --git a/docs/auditor/10.8/accessreviews/admin/firstlaunch.md b/docs/auditor/10.8/accessreviews/admin/firstlaunch.md
new file mode 100644
index 0000000000..da3ac80506
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/firstlaunch.md
@@ -0,0 +1,38 @@
+---
+title: "First Launch"
+description: "First Launch"
+sidebar_position: 10
+---
+
+# First Launch
+
+The installer places the following icon on the desktop which opens the Access Reviews Console:
+
+
+
+Use this icon to launch the Access Reviews Console for the first time.
+
+
+
+The Access Reviews application is installed with a Builtin Administrator account; "admin" is the
+User Name. You will be prompted to set the account's password. It must be eight or more characters
+long. After setting the password, you will need to login with the "admin" account.
+
+Using the Configuration interface, the Builtin Administrator account can be disabled once a domain
+account has been granted the Administrator role. You can also change the password for the Builtin
+Administrator account. See the
+[Modify the Builtin Administrator Account](configuration/consoleaccess.md#modify-the-builtin-administrator-account)
+topic for additional information.
+
+
+
+The Resource Owners interface opens. The first thing that should be done is to configure console
+access for domain users and configure notification settings. Select the Configuration tab. See the
+[Console Access Page](/docs/auditor/10.8/accessreviews/admin/configuration/consoleaccess.md) and
+[Notifications Page](/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md) topics for additional information.
+
+The interfaces available to console users are controlled by the role assigned. Owners do not need to
+be assigned console access. See the [URL & Login](/docs/auditor/10.8/accessreviews/admin/login.md) topic for information on how users will
+log in and where they are directed after login.
+
+See the [Navigation](/docs/auditor/10.8/accessreviews/admin/navigate/navigate.md) topic for information on each of the interfaces.
diff --git a/docs/auditor/10.8/accessreviews/admin/login.md b/docs/auditor/10.8/accessreviews/admin/login.md
new file mode 100644
index 0000000000..3bd28a4e58
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/login.md
@@ -0,0 +1,90 @@
+---
+title: "URL & Login"
+description: "URL & Login"
+sidebar_position: 50
+---
+
+# URL & Login
+
+The Access Reviews Console can be accessed through a supported browser from a machine within your
+company's network. The URL is the hosting machine's name and the
+port, http://[HOSTNAME.DOMAIN.COM]:81. For example, if the application was installed on a server
+named NEWYORKSRV10.NWXTech.com with the default port of 81, the URL would be
+http://NEWYORKSRV10.NWXTech.com:81.
+
+Administrators
+
+Administrators with access to the server hosting the application can use the desktop icon to launch
+the application in their default browser. Alternatively, the localhost URL can be used:
+
+- HTTP URL
+
+ - http://localhost:81
+
+- HTTPS URL
+
+ - https://localhost:481
+
+Remote Access
+
+Since Access Reviews is a browser-based application, it is possible to access the web interface
+remotely. It is up to the Administrator to provide users with the correct URL for access.
+
+Depending on your network environment, you may need to use the NetBIOS name, FQDN, or IP Address of
+the hosting server in the browser. Also, additional configurations by network and system
+administrators may be necessary to make the web server accessible to remote users (firewall
+configurations, DNS settings, etc.).
+
+The server name in the URL can be replaced with an alias. See the
+[Notification Options](configuration/notifications.md#notification-options) topic for additional
+information.
+
+## Login Page
+
+Users login with their domain credentials. If only one domain is known to the Access Reviews
+Console, the credentials need only be username and password. If multiple domains are known, then the
+username needs to be entered in the `domain\username` format.
+
+**NOTE:** The URL may need to be added to the browser’s list of trusted sites.
+
+
+
+The interface a user arrives at depends upon the assigned role or lack of assigned role.
+
+## User Landing Page
+
+Role based access controls what interfaces users can see and where each user is directed upon login.
+
+**_RECOMMENDED:_** Send an email to your users. Let them know why you are implementing use of the
+application, provide the URL, and explain how to login with their domain credentials and the
+username format. See the
+[Enable Console Users](/docs/auditor/10.8/accessreviews/accessreviews.md#enable-console-users) topic for additional
+information.
+
+### Administrator Role
+
+Users granted the Administrator role are directed to the Resource Owners interface upon login.
+
+
+
+Administrators are the only ones with access to the Configuration interface. The My Reviews
+interface is available if the logged in user is also assigned ownership of a resource.
+
+### Security Team Role
+
+Users granted the Security Team role are directed to the Resource Owners interface upon login.
+
+
+
+Security Team members only lack access to the Configuration interface, which is only available to
+Administrators. The My Reviews interface is available if the logged in user is also assigned
+ownership of a resource.
+
+### Owners Without Role
+
+Users assigned ownership of a resource but not granted a user role are directed to the My Reviews
+interface upon login.
+
+
+
+Owners can view pending reviews and view historical reviews.
diff --git a/docs/auditor/10.8/accessreviews/admin/navigate/_category_.json b/docs/auditor/10.8/accessreviews/admin/navigate/_category_.json
new file mode 100644
index 0000000000..fb70262fe5
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/navigate/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Navigation",
+ "position": 20,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "navigate"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md b/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md
new file mode 100644
index 0000000000..aa531608c8
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md
@@ -0,0 +1,77 @@
+---
+title: "Data Grid Features"
+description: "Data Grid Features"
+sidebar_position: 10
+---
+
+# Data Grid Features
+
+The data grids within various tables have several features to improve your experience.
+
+## Search & Filter
+
+There is a Search box above a table's header row that can be used to filter the table data.
+
+
+
+Begin typing in the Search box. The filter acts as a wildcard, filtering the table data as you type.
+
+## Column Filters
+
+There is a filter icon to the right of each column name that can be used to apply a column specific
+filter. You can apply filters to multiple columns simultaneously.
+
+
+
+Click the filter icon for the column you want to filter. Select the values you want to filter for
+from the list, and click **Apply**.
+
+**NOTE:** Hold the **Shift** key and click the first and last values to select a group of adjacent
+values, or hold the **Ctrl** key and click each value to select multiple values individually.
+
+
+
+The filter icon is highlighted orange for a column where a filter is applied. To clear an applied
+filter, click the filter icon and click **Clear**.
+
+## Resize Columns
+
+Table column widths can be resized to change the width.
+
+
+
+Simply select the edges of the column headers and drag to the desired width.
+
+## Sort
+
+Data within a table can be sorted alphanumerically for a column.
+
+
+
+Click on any column header. An arrow will appear next to the column name indicating the sort to be
+ascending or descending order.
+
+## Columns Selector
+
+Columns can be hidden or unhidden. Available columns for a table are listed in the column selector
+menu that appears when you right-click on a column header.
+
+
+
+The column selector menu shows all available columns for the table. Check columns are visible.
+Unchecked columns are hidden.
+
+## Exports
+
+There are two export buttons above a table's header row that can be used to export the data
+currently displayed within the table.
+
+
+
+- CSV Export – Downloads the data within the table in a CSV file format
+- Excel Export – Downloads the data within the table in an Excel file format
+
+The export mimics the table with any sort, filter, or column modifications. The Excel or CSV file
+can then be distributed as desired. The Excel file presents an easy to read format, including
+information about the selected table and resource at the top. The CSV file displays column headers
+in the first row.
diff --git a/docs/auditor/10.8/accessreviews/admin/navigate/editnotes.md b/docs/auditor/10.8/accessreviews/admin/navigate/editnotes.md
new file mode 100644
index 0000000000..e58e9797e9
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/navigate/editnotes.md
@@ -0,0 +1,20 @@
+---
+title: "Edit Notes Window"
+description: "Edit Notes Window"
+sidebar_position: 20
+---
+
+# Edit Notes Window
+
+The Edit Note window can be opened from a variety of interfaces. Follow the steps to add or edit a
+note.
+
+**Step 1 –** Select the item in the interface and click Edit Notes. The Edit Notes window opens.
+
+
+
+**Step 2 –** Type or edit the note in the textbox.
+
+**Step 3 –** Click OK when finished. The Edit Notes window closes.
+
+The user name and a date timestamp will appear at the beginning of each note added.
diff --git a/docs/auditor/10.8/accessreviews/admin/navigate/navigate.md b/docs/auditor/10.8/accessreviews/admin/navigate/navigate.md
new file mode 100644
index 0000000000..321b96fbb6
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/navigate/navigate.md
@@ -0,0 +1,64 @@
+---
+title: "Navigation"
+description: "Navigation"
+sidebar_position: 20
+---
+
+# Navigation
+
+The Access Reviews Console has four interfaces. Upon login, users granted console access are brought
+to the Resource Owners interface.
+
+
+
+The signed in user is displayed in the upper-right corner, along with the **Sign out** link. The
+available interfaces change according to the role assigned to the user.
+
+For Administrator Only
+
+The Configuration tab opens the Configuration interface. Configure console access, Active Directory
+service account, notification settings, database access, and diagnostic logging level.
+
+This interface is available only to users with the Administrator role. See the
+[Configuration Interface Overview](/docs/auditor/10.8/accessreviews/admin/configuration/overview.md) topic for additional information.
+
+For Security Team & Administrator
+
+The Resource Owners tab opens the Resource Owners interface. Manage resource ownership by assigning
+owners to resources and requesting ownership confirmation. Resources to be included in the Access
+Reviews workflow must first be assigned at least one owner within the Resource Owners interface.
+Assigned owners can log in to complete reviews.
+
+This interface is available only to users with either the Security Team or Administrator role. See
+the [Resource Owners Interface](/docs/auditor/10.8/accessreviews/resourceowners/interface/interface.md) topic for additional information.
+
+The Entitlement Reviews tab opens the Entitlement Reviews interface. Create and manage reviews.
+There are two types of reviews for resources being managed within the Access Reviews application:
+resource Access reviews and group Membership reviews. This does require the Access Reviews
+application to be configured to send notifications.
+
+This interface is available only to users with either the Security Team or Administrator role. See
+the [Entitlement Reviews Interface](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md) topic for additional
+information.
+
+For Assigned Owner
+
+The My Reviews tab opens the My Reviews interface. It is only visible if the logged in user is also
+an assigned owner of at least one resource. Assigned owners without a user role are directed to the
+My Reviews interface at login.
+
+The My Reviews interface is available to any domain user who has been assigned ownership of a
+resource. See the [Owners & Access Reviews](/docs/auditor/10.8/accessreviews/owneroverview/owneroverview.md) topic for additional
+information.
+
+## Interface Quick Reference
+
+The table below is a quick reference aligning each interface with its purpose, how to access it, and
+who has access to it:
+
+| Interface | Purpose | Opened By | Accessible To |
+| ------------------- | --------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------- | ------------------------------------- |
+| Configuration | Configure console access, Active Directory service account, notification settings, database access, and diagnostic logging level. | **Configuration** tab | Administrator role |
+| Resource Owners | Manage resource ownership by assigning owners to resources and requesting ownership confirmation. | **Resource Owners** tab | Administrator role Security Team role |
+| Entitlement Reviews | Create and manage reviews. | **Entitlement Reviews** tab | Administrator role Security Team role |
+| My Reviews | View and process pending reviews. Also view historical reviews. | **My Reviews** tab Direct from login for owners without a role | Assigned Resource Owners |
diff --git a/docs/auditor/10.8/accessreviews/admin/overview.md b/docs/auditor/10.8/accessreviews/admin/overview.md
new file mode 100644
index 0000000000..f10ce0e0a3
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/overview.md
@@ -0,0 +1,18 @@
+---
+title: "Administrator Overview"
+description: "Administrator Overview"
+sidebar_position: 20
+---
+
+# Administrator Overview
+
+Access Reviews administrators have access to the Configuration interface where there application
+settings reside. This topic includes the following subtopics:
+
+- [Getting Started](/docs/auditor/10.8/accessreviews/accessreviews.md#getting-started)
+- [First Launch](/docs/auditor/10.8/accessreviews/admin/firstlaunch.md)
+- [Navigation](/docs/auditor/10.8/accessreviews/admin/navigate/navigate.md)
+- [Configuration Interface Overview](/docs/auditor/10.8/accessreviews/admin/configuration/overview.md)
+- [Additional Configuration Options](/docs/auditor/10.8/accessreviews/admin/additionalconfig/overview.md)
+- [URL & Login](/docs/auditor/10.8/accessreviews/admin/login.md)
+- [Troubleshooting](/docs/auditor/10.8/accessreviews/admin/troubleshooting/overview.md)
diff --git a/docs/auditor/10.8/accessreviews/admin/troubleshooting/_category_.json b/docs/auditor/10.8/accessreviews/admin/troubleshooting/_category_.json
new file mode 100644
index 0000000000..9f3d281f3b
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/troubleshooting/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Troubleshooting",
+ "position": 60,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/admin/troubleshooting/credentialpasswords.md b/docs/auditor/10.8/accessreviews/admin/troubleshooting/credentialpasswords.md
new file mode 100644
index 0000000000..afc86ede38
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/troubleshooting/credentialpasswords.md
@@ -0,0 +1,56 @@
+---
+title: "Update Credential Passwords"
+description: "Update Credential Passwords"
+sidebar_position: 30
+---
+
+# Update Credential Passwords
+
+Credential passwords occasionally need to be updated due to various reasons, such as security
+policies that require passwords to be reset on a regular basis. The following types of credentials
+may be impacted by password changes or security policies:
+
+- Database service account
+- Active Directory service account
+- SMTP authentication service account
+- Application Service Account
+- Bultin Administrator account
+
+## Database Service Account
+
+The Database service account grants access to the SQL Server database. It can be updated on the
+Database page of the Configuration interface. See the
+[Update the Database Service Account Password](/docs/auditor/10.8/accessreviews/admin/configuration/database.md#update-the-database-service-account-password)
+topic for instructions.
+
+## Active Directory Service Account
+
+The Active Directory service account handles user authentication to the Access Reviews Console. It
+can be updated on the Active Directory page of the Configuration interface. See the
+[Update the Active Directory Service Account Password](/docs/auditor/10.8/accessreviews/admin/configuration/activedirectory.md#update-the-active-directory-service-account-password)
+topic for instructions.
+
+## SMTP Authentication Service Account
+
+An SMTP server is required for the application to send notifications. If the SMTP server requires
+authentication, the service account can be updated on the Notifications page of the Configuration
+interface. See the
+[Configure SMTP Server Settings](/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md#configure-smtp-server-settings)
+topic for instructions.
+
+## Application Service Account
+
+The account used to run the Netwrix Auditor Access Reviews service can be updated using Services
+Control Manager console. See the
+[Modify the Service Account via Service Control Manager](serviceaccount.md#modify-the-service-account-via-service-control-manager)
+topic for instructions.
+
+## Builtin Administrator Account
+
+The Builtin Administrator account is an application account that is created during the first launch.
+It is used to complete the initial configuration steps and to grant console access to domain users.
+This account can be disabled after Administrator users are added. However, if it is enabled and a
+security policy requires the password to be reset, it can be updated on the Console Access page of
+the Configuration interface. See the
+[Modify the Builtin Administrator Account](/docs/auditor/10.8/accessreviews/admin/configuration/consoleaccess.md#modify-the-builtin-administrator-account)
+topic for modification instructions.
diff --git a/docs/auditor/10.8/accessreviews/admin/troubleshooting/loglevel.md b/docs/auditor/10.8/accessreviews/admin/troubleshooting/loglevel.md
new file mode 100644
index 0000000000..bf5b6f4118
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/troubleshooting/loglevel.md
@@ -0,0 +1,37 @@
+---
+title: "Change Log Level"
+description: "Change Log Level"
+sidebar_position: 10
+---
+
+# Change Log Level
+
+The `AccessInformationCenter.Service.exe.Config` file is located in the `Logs` folder of the Access
+Reviews installation directory:
+
+...\Netwrix\Access Reviews
+
+Follow the steps to modify the log level.
+
+**Step 1 –** Open the `AccessInformationCenter.Service.exe.Config` file in a text editor, e.g.
+Notepad.
+
+
+
+**Step 2 –** The level value is set in the `LogLevel` parameter, where "2" is the default level. As
+the logging level increases from 0 to 3, the types of information and level of detail included
+within the log file also increase. Change to the desired log level:
+
+
+
+- Error level is when `value="0"`
+- Warning level is when `value="1"`
+- Info level is when `value="2"`
+- Debug level is when `value="3"`
+
+ - Debug logging can be enabled from the Diagnostics page of the Configuration interface
+
+**Step 3 –** Save and close the `AccessInformationCenter.Service.exe.Config` file.
+
+Once troubleshooting has finished, it is recommended to return the log level to the default level,
+Info = 2, to prevent the log file from growing too large.
diff --git a/docs/auditor/10.8/accessreviews/admin/troubleshooting/overview.md b/docs/auditor/10.8/accessreviews/admin/troubleshooting/overview.md
new file mode 100644
index 0000000000..798e8f2873
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/troubleshooting/overview.md
@@ -0,0 +1,39 @@
+---
+title: "Troubleshooting"
+description: "Troubleshooting"
+sidebar_position: 60
+---
+
+# Troubleshooting
+
+The following are several troubleshooting tips that can assist with diagnosing trouble with the
+Access Reviews application. If engaging with
+[Netwrix Support](https://www.netwrix.com/support.html), it will be useful to be aware of these.
+
+Configuration of Permissions on the Installation Directory:
+
+The Windows service account running the Netwrix Auditor Access Reviews service may be used as the
+Database service account, the Active Directory service account, and/or the SMTP authentication
+account. Check the Database, Active Directory, and Notification pages in the Configuration interface
+to confirm where the account is in use before modifying it to ensure these functionality are not
+impaired. If this account is changed, a new account must have the **Full Control** permission to
+files and folders in the Access Reviews installation directory. See the
+[Application Service Account](/docs/auditor/10.8/accessreviews/admin/troubleshooting/serviceaccount.md) topic for additional information.
+
+Log File:
+
+By default the Access Reviews application is configured to log at the Info level. When requested by
+Netwrix Support, you can enable Debug level from the Diagnostics page of the Configuration
+interface. See the [Diagnostics Page](/docs/auditor/10.8/accessreviews/admin/configuration/diagnostics.md) topic for additional
+information.
+
+If a different log level is needed or desired, the `aic.log` file can be modified. See the
+[Change Log Level](/docs/auditor/10.8/accessreviews/admin/troubleshooting/loglevel.md) topic for additional information.
+
+Credential Password Changes:
+
+The Access Reviews application uses several different types of service accounts. If a credential
+password for one of these accounts is no longer valid, it will impact application functionality.
+Additionally, if the Builtin Administrator account remains enabled, it may be necessary to reset the
+password. See the [Update Credential Passwords](/docs/auditor/10.8/accessreviews/admin/troubleshooting/credentialpasswords.md) topic for additional
+information.
diff --git a/docs/auditor/10.8/accessreviews/admin/troubleshooting/serviceaccount.md b/docs/auditor/10.8/accessreviews/admin/troubleshooting/serviceaccount.md
new file mode 100644
index 0000000000..d67ab2718e
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/admin/troubleshooting/serviceaccount.md
@@ -0,0 +1,48 @@
+---
+title: "Application Service Account"
+description: "Application Service Account"
+sidebar_position: 20
+---
+
+# Application Service Account
+
+The Windows service account running the Netwrix Auditor Access Reviews service may be used as the
+Database service account, the Active Directory service account, and/or the SMTP authentication
+account. Check the Database, Active Directory, and Notification pages in the Configuration interface
+to confirm where the account is in use before modifying it to ensure these functionality are not
+impaired. If the same account is being used for multiple purposes, it will require the proper
+permissions for each purpose.
+
+It may become necessary (for testing purposes, infrastructure changes, etc.) to change the Windows
+account set to run the Netwrix Auditor Access Reviews service. The following step-by-step
+instructions are for modifying this account within the Services Control Manager console.
+
+**CAUTION:** The account assigned to run the Netwrix Auditor Access Reviews service must have Full
+Control over the installation directory:
+
+...\Netwrix\Access Reviews
+
+## Modify the Service Account via Service Control Manager
+
+Follow the steps to enable and/or modify the Windows service account running the Netwrix Auditor
+Access Reviews service.
+
+**Step 1 –** Navigate to Service Control Manager (`services.msc`). The Services Control Manager
+opens.
+
+
+
+**Step 2 –** Right-click on the Netwrix Auditor Access Reviews service and select **Properties**.
+The service Properties window opens.
+
+
+
+**Step 3 –** On the **Log On** tab, select the **This account** radio button. Enter the account name
+using NTAccount format [```DOMAIN\username```]. Optionally, use the **Browse** button to search for
+the account. Enter the account's password in both the **Password** and **Confirm password** fields.
+Then click **OK**. The Properties window closes.
+
+**Step 4 –** The selected account is displayed in the Log On As column for the service. Either
+Restart or Stop and Start the service for this change to take affect.
+
+The Netwrix Auditor Access Reviews service is now running with the supplied Windows account.
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/_category_.json b/docs/auditor/10.8/accessreviews/entitlementreviews/_category_.json
new file mode 100644
index 0000000000..2e34d68871
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Reviews Overview",
+ "position": 40,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/_category_.json b/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/_category_.json
new file mode 100644
index 0000000000..a01f573575
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Approval Process",
+ "position": 30,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "approvalprocess"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/approvalprocess.md b/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/approvalprocess.md
new file mode 100644
index 0000000000..2c48c5a147
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/approvalprocess.md
@@ -0,0 +1,78 @@
+---
+title: "Approval Process"
+description: "Approval Process"
+sidebar_position: 30
+---
+
+# Approval Process
+
+After all owners assigned to a specific review have submitted their review, its status on the Manage
+Reviews page of the Entitlement Reviews interface changes to Responses awaiting review.
+
+
+
+In the approval process, the Review Administrator looks at the owner-recommended changes and chooses
+to approve, deny, or defer the changes.
+
+See the Process Owner Responses topic for instructions on how to perform a granular review of
+owner-recommended changes. See the Batch Processing topic for instructions on how to approve,
+decline, or defer all owner-recommended changes for a review.
+
+## Process Owner Responses
+
+Follow the steps to perform a granular review of a resource owner's recommended changes.
+
+**Step 1 –** On the Manage Reviews page, select a review and click **View Details**. The Review
+Details page opens.
+
+
+
+**Step 2 –** Select a resource in the list and click **View Responses**. The View Responses window
+opens.
+
+
+
+**Step 3 –** By default, the table displays only the recommended changes. Select an item and click
+the desired action button: Accept, Decline, or Defer. The Approval column icon updates. See the
+[View Responses Window](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/viewresponses.md) topic for additional information.
+
+**Step 4 –** Repeat Step 3 until all changes have been processed. Then click **Close**. The View
+Responses window closes.
+
+**Step 5 –** Repeat Steps 2-4 for each resource included in the review.
+
+**Step 6 –** Remediation of the accepted changes must be done manually. Accepted changes must be
+implemented outside of the application by your IT department. Use the **Export Excel** or **Export
+CSV** buttons to generate and download an export of accepted changes.
+
+**Step 7 –** When remediation is complete, return to the Mange Reviews page (click on the
+breadcrumb). Select the review in the list and click **Mark Completed**.
+
+The review remains marked as Completed until the next instance is started.
+
+## Batch Processing
+
+Follow the steps to perform a batch processing of a resource owner's recommended changes.
+
+**Step 1 –** On the Manage Reviews page, select a review and click **View Details**. The Review
+Details page opens. .
+
+
+
+**Step 2 –** Select a resource in the list and open the **Process Changes** drop-down menu.
+
+**Step 3 –** Select the desired action for all recommended changes: Accept, Decline, or Defer.
+
+_Remember,_ all recommended changes for the selected resource will be processed with the same
+resolution.
+
+**Step 4 –** Repeat Steps 2-3 for each resource included in the review.
+
+**Step 5 –** Remediation of the accepted changes must be done manually. Accepted changes must be
+implemented outside of the application by your IT department. Use the **Export Excel** or **Export
+CSV** buttons to generate and download an export of accepted changes.
+
+**Step 6 –** When remediation is complete, return to the Mange Reviews page (click on the
+breadcrumb). Select the review in the list and click **Mark Completed**.
+
+The review remains marked as Completed until the next instance is started.
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/removechanges.md b/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/removechanges.md
new file mode 100644
index 0000000000..c5066eb0cf
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/removechanges.md
@@ -0,0 +1,18 @@
+---
+title: "Remove Changes Window"
+description: "Remove Changes Window"
+sidebar_position: 10
+---
+
+# Remove Changes Window
+
+Select the desired resource on a Review Details page and click **Remove Changes**. The Remove
+changes window opens to confirm the action.
+
+
+
+**CAUTION:** This will clear all owner-recommended changes and notes for the resource. The owner
+will be required to complete the review again.
+
+Click Yes to clear owner-recommended changes. Click No to cancel it. The Remove changes window
+closes.
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/create/_category_.json b/docs/auditor/10.8/accessreviews/entitlementreviews/create/_category_.json
new file mode 100644
index 0000000000..c4da29b5da
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/create/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Create Review Wizard",
+ "position": 20,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "create"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/create/create.md b/docs/auditor/10.8/accessreviews/entitlementreviews/create/create.md
new file mode 100644
index 0000000000..b133b09376
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/create/create.md
@@ -0,0 +1,88 @@
+---
+title: "Create Review Wizard"
+description: "Create Review Wizard"
+sidebar_position: 20
+---
+
+# Create Review Wizard
+
+The Create Review wizard is opened with the **Create** button on the Entitlement Reviews interface.
+See the [Manage Reviews Page](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md#manage-reviews-page) topic for additional information.
+
+
+
+It contains three pages:
+
+- 1. Review Type
+
+ - Review Name — Visible only to Review Administrators
+ - Select the type of review to be created:
+
+ - Membership – Review group membership
+ - Access – Review user access rights to resources
+
+- 2. Resources — Select resources to be included in the review
+- 3. Summary
+
+ - Preview of the review selections
+ - Provides a status of the action being committed. Action includes creating the review and
+ sending notifications to owners.
+
+See the Create a Review topic for additional information.
+
+## Create a Review
+
+Follow the steps to create a review.
+
+**Step 1 –** On the Manage Reviews page, click Create. The Create Review wizard opens.
+
+
+
+**Step 2 –** On the Review Type page, provide the following information and click **Next**:
+
+- Review Name — Enter a unique, descriptive name for the review. The review name is only visible to
+ Review Administrators.
+- Select Type — Reviews are limited to one type. Select the type of review from the buttons
+ provided:
+
+ - Membership – Review group membership
+ - Access – Review user access rights to resources
+
+
+
+**Step 3 –** On the Resources page, select the resources to be included in the review. The Search
+feature is available to filter the list of available resource that match the type of review being
+created.
+
+- The table displays the following information:
+
+ - Resources — The icon indicates the type of resource. The resource name includes its location,
+ such as the UNC path for a file system resource, the URL for SharePoint resource, or Group
+ name (e.g., [Domain]\[Group]).
+ - Description — Description or explanation of the resource as supplied by either the Ownership
+ Administrator or the assigned owner
+ - Reviewer — Primary owner assigned to the resource
+ - Confirmed — Indicates whether or not the assigned owner has confirmed ownership of that
+ resource. Tool-tips display when hovering over the icons indicating whether the resource
+ ownership has been confirmed, declined, pending response, or that a confirmation has not been
+ requested.
+ - Scan Data — A checkmark indicates the resource has been scanned. Only resources with scan data
+ can be included in a review.
+
+- Select the desired resource(s) and click **Add**. The **View Selections** button indicates how
+ many resources have been selected. Click the button to open the Selected Resources window, where
+ you can view and modify the selections. See the
+ [Selected Resources Window](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/selectedresources.md) topic for additional information.
+- Once the desired resources have been selected, click **Next**.
+
+
+
+**Step 4 –** On the Summary page, review the settings and click Finish. The Access Reviews begins to
+create the review. Action status displays on the page. When the update has completed (100%), click
+Close. The Create Review wizard closes.
+
+The new review displays in the table on the Manage Reviews page. An email was sent to the primary
+owner assigned to the resource(s) in this review. By default, the application is configured to send
+notifications only to the primary owner. However, this can be customized on the Configuration >
+Notifications page to send notifications to all assigned owners. See the
+[Notifications Page](/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md) topic for additional information.
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/create/reviewinstances.md b/docs/auditor/10.8/accessreviews/entitlementreviews/create/reviewinstances.md
new file mode 100644
index 0000000000..3bb2c1df8f
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/create/reviewinstances.md
@@ -0,0 +1,21 @@
+---
+title: "Review Instances"
+description: "Review Instances"
+sidebar_position: 10
+---
+
+# Review Instances
+
+After a review has been completed, it can be run again, which creates multiple instances of the
+review. Each instance is identified by date timestamps indicating its start and end times.
+
+**_RECOMMENDED:_** Prior to running another review instance, ensure the most up to date information
+is available to owners for review.
+
+
+
+On the Manage Reviews page in the Entitlement Reviews interface, a review with a Completed status
+can be started again. Select the review and click **Run Again**. The Create Review wizard opens
+without the Review Type page. The review can be run as-is by navigating through the wizard with the
+**Next** buttons, or you can modify as desired. Completing the wizard process restarts the review.
+See the [Create Review Wizard](/docs/auditor/10.8/accessreviews/entitlementreviews/create/create.md) topic for additional information.
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/interface/_category_.json b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/_category_.json
new file mode 100644
index 0000000000..021c911889
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Entitlement Reviews Interface",
+ "position": 10,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "interface"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/interface/deletereview.md b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/deletereview.md
new file mode 100644
index 0000000000..c73d7c628f
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/deletereview.md
@@ -0,0 +1,39 @@
+---
+title: "Delete Review Window"
+description: "Delete Review Window"
+sidebar_position: 10
+---
+
+# Delete Review Window
+
+The Delete Review window opens from either the
+[Manage Reviews Page](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md#manage-reviews-page) or the
+[Review Details Page](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md#review-details-page) of the Entitlement Reviews interface:
+
+- Delete Entire Review — Deleting a review from the Manage Reviews page will delete all instances of
+ the selected review
+- Delete Review Instance — Deleting a review from the Review Details page will delete the selected
+ review instance
+
+## Delete Entire Review
+
+Select the desired review on the Manage Reviews page and click **Delete**. The Delete Review window
+opens to confirm the action.
+
+
+
+**CAUTION:** This will delete all instances of the selected review and all historical data
+associated with it.
+
+Click **Yes** to complete the deletion. Click **No** to cancel it. The Delete Review window closes.
+
+## Delete Review Instance
+
+Select the desired review instance from the drop-down menu on the Review Details page and click
+**Delete**. The Delete Review window opens to confirm the action.
+
+
+
+**CAUTION:** This will delete all historical data associated to the selected review instance.
+
+Click **Yes** to complete the deletion. Click **No** to cancel it. The Delete Review window closes.
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md
new file mode 100644
index 0000000000..8ac3907346
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md
@@ -0,0 +1,132 @@
+---
+title: "Entitlement Reviews Interface"
+description: "Entitlement Reviews Interface"
+sidebar_position: 10
+---
+
+# Entitlement Reviews Interface
+
+The Entitlement Reviews interface opened by the Entitlement Reviews tab is where Review
+Administrators perform many operations around managing reviews. This interface has multiple pages:
+
+- Manage Reviews Page — Create and manage all reviews
+- Review Details Page — Manage and view all instances for a specific review
+
+## Manage Reviews Page
+
+The Manage Reviews page is the first page in the Entitlement Reviews interface. It displays
+high-level information for reviews.
+
+
+
+The interface includes:
+
+- Table of reviews
+- Daily Review Responses line graph
+- Active Review Status donut graph
+
+The information displayed in the table includes:
+
+- Name — Name of the review, as provided by the Review Administrator
+- Type — Type of review:
+
+ - Access – Review user access rights to resources
+ - Membership – Review group membership
+
+- Status — Status of the review:
+
+ - Status bar with specified percentage completed
+
+ - [Empty bar] 0% – Indicates not started. Hovering over the bar will display the number of
+ items included.
+ - [Partially filled bar] with a non-zero% – Indicates the specific percentage of items
+ completed. Hovering over the bar displays the number of items completed out of the total
+ number of items.
+
+ - Responses awaiting review — Owner(s) completed reviews. Waiting on Review Administrator's
+ approval.
+ - All responses processed — Reviews have been approved by Review Administrators. The review can
+ be marked as completed.
+ - Stopped — Indicates that the review was stopped and is considered complete even if all of the
+ responses have not been received or processed. The review remains static until it is run
+ again.
+ - Completed — Indicates the Review Administrator has processed the owners' responses. The review
+ remains static until it is run again. This status can appear by accepting the review as-is
+ with the Mark Completed button.
+
+- Created By — Name of the Review Administrator who create the review
+- Created On — Date timestamp for when the review was creation. If it has been run multiple times,
+ this is the date timestamp of the last instance.
+- Finished On — Date timestamp when the review is marked complete by the Review Administrator. If it
+ has been run multiple times, this is the date timestamp of the last instance.
+
+The table data grid functions the same way as other table grids. See the
+[Data Grid Features](/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md) topic for additional information.
+
+The buttons at the bottom enable you to conduct the following actions:
+
+| Button | Description |
+| -------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Create | Launches the Create Review wizard for creating a new review. See the [Create Review Wizard](/docs/auditor/10.8/accessreviews/entitlementreviews/create/create.md) topic for additional information. |
+| Rename | Opens the Rename Review window for modifying the review name. See the [Rename Review Window](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/renamereview.md) topic for additional information. |
+| Delete | Opens the Delete Review window to delete review and its instance history, which asks for confirmation of the action. See the [Delete Review Window](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/deletereview.md) topic for additional information. |
+| Stop | Opens the Stop Review window, which asks for confirmation of the action. See the [Stop Review Window](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/stopreview.md) topic for additional information. |
+| View Details | Opens the Review Details page for the selected review. See the Review Details Page topic for additional information. |
+| Mark Completed | Closes the selected review as-is and marks it as completed. Requires the owner(s) to have responded. **CAUTION:** No confirmation is requested for this action. |
+| Run Again | Opens the Create Review wizard for the selected review without the option to change the review type. Modify as desired and relaunch the review. See the [Review Instances](/docs/auditor/10.8/accessreviews/entitlementreviews/create/reviewinstances.md) topic for additional information. |
+| Send Reminders | Sends a notification email to the assigned owner(s), reminding of the pending review. Opens the Send Reminders window, which indicates an action status. See the [Send Reminders Window](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/sendreminders.md) topic for additional information. |
+
+## Review Details Page
+
+The Review Details page displays information for all instances of the selected review, which is
+named in the page breadcrumb. This page is opened by selecting a review on the Manage Reviews page
+and clicking **View Details**.
+
+
+
+Instances are selected from the drop-down menu. By default the most current instance will be
+displayed. Instances are named with date timestamps indicating the start and end times for the
+review instance.
+
+The information displayed in the table includes:
+
+- Resource Name — The icon indicates the type of resource. The resource name includes its location,
+ such as the UNC path for a file system resource, the URL for SharePoint resource, or Group name
+ (e.g., [Domain]\[Group]).
+- Reviewer Name — Primary owner assigned to the resource
+- Review Status — Indicates whether or not the assigned owner has submitted the review. Tool-tips
+ display when hovering over the icons.
+- Review Changes — Displays a count of items that have recommended changes for the resource
+- Review Time — Date timestamp for when the owner submitted the review
+- Approval Status — Status of the Review Administrator's approval:
+
+ - Blank — Indicates the owner has not completed the review for the resource
+ - Status bar with specified percentage completed
+
+ - [Empty bar] 0% – Indicates not started. Hovering over the bar will display the number of
+ items included.
+ - [Partially filled bar] with a non-zero% – Indicates the specific percentage of items
+ completed. Hovering over the bar displays the number of items completed out of the total
+ number of items.
+
+ - Completed — Indicates the Review Administrator has processed the owners' responses. The review
+ remains static until it is run again.
+
+- Approval Notes – Icon indicates a Note has been added. Click on the icon to read the attached
+ note(s). Notes displayed here can only be added or viewed by the Review Administrator. See the
+ [Edit Notes Window](/docs/auditor/10.8/accessreviews/admin/navigate/editnotes.md) topic for additional information.
+
+The table data grid functions the same way as other table grids. See the
+[Data Grid Features](/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md) topic for additional information.
+
+The buttons at the top and bottom enable you to conduct the following actions:
+
+| Button | Description |
+| --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Delete | Opens the Delete Review window to delete selected review instance, which asks for confirmation of the action. See the [Delete Review Window](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/deletereview.md) topic for additional information. |
+| Export Excel | Exports the selected review instance information to an Excel spreadsheet. This automatically downloads the spreadsheet. See the [Data Grid Features](/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md) topic for additional information. |
+| Export CSV | Exports the selected review instance information to a CSV file. This automatically downloads the file. See the [Data Grid Features](/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md) topic for additional information. |
+| Edit Notes | Opens the Edit Notes window for the selected resource and allows free-text editing of the notes. See the [Edit Notes Window](/docs/auditor/10.8/accessreviews/admin/navigate/editnotes.md) topic for additional information. |
+| View Responses | Opens the View Responses window, which is only available if the owner has recommended changes for the resource. This window displays all recommended changes, notes provided by the owner for the recommended change, and action buttons to Accept, Decline, or Defer the recommended change. See the [View Responses Window](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/viewresponses.md) topic for additional information. |
+| Process Changes | Opens a drop-down menu to Accept, Decline, or Defer all owner-recommended changes for the selected resource. This option allows the Review Administrator to process responses in batches, so all owner-recommended changes for the selected resource will be processed with the same action. |
+| Remove Changes | Opens the Remove changes window. Clears all requested changes for the selected resource. The resource is returned to a ‘Waiting’ status, requiring the owner to review the resource again. See the [Remove Changes Window](/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/removechanges.md) topic for additional information. |
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/interface/renamereview.md b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/renamereview.md
new file mode 100644
index 0000000000..83476a5752
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/renamereview.md
@@ -0,0 +1,20 @@
+---
+title: "Rename Review Window"
+description: "Rename Review Window"
+sidebar_position: 20
+---
+
+# Rename Review Window
+
+The Rename Review window opens from the [Manage Reviews Page](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md#manage-reviews-page)
+of the Entitlement Reviews interface. Follow the steps to rename a review.
+
+**Step 1 –** Select the review and click **Rename**. The Rename Review window opens.
+
+
+
+**Step 2 –** Edit the review name in the textbox.
+
+**Step 3 –** Click **OK** when finished. The Rename Review window closes.
+
+The renamed review will display in the table on the Manage Reviews page.
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/interface/selectedresources.md b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/selectedresources.md
new file mode 100644
index 0000000000..8c3c1c4ddc
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/selectedresources.md
@@ -0,0 +1,22 @@
+---
+title: "Selected Resources Window"
+description: "Selected Resources Window"
+sidebar_position: 30
+---
+
+# Selected Resources Window
+
+The Selected Resources window opens from the **View Selections** button in the
+[Create Review Wizard](/docs/auditor/10.8/accessreviews/entitlementreviews/create/create.md).
+
+
+
+The table displays:
+
+- Resource — The icon indicates the type of resource. The resource name includes its location, such
+ as the UNC path for a file system resource, the URL for SharePoint resource, or Group name (e.g.,
+ [Domain]\[Group]).
+- Reviewer — Primary owner assigned to the resource
+
+Use the **Remove** button to remove a resource from this review. Click **OK** to close the window
+and complete the review creation.
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/interface/sendreminders.md b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/sendreminders.md
new file mode 100644
index 0000000000..bd84115b61
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/sendreminders.md
@@ -0,0 +1,20 @@
+---
+title: "Send Reminders Window"
+description: "Send Reminders Window"
+sidebar_position: 40
+---
+
+# Send Reminders Window
+
+The Send Reminders window opens from the [Manage Reviews Page](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md#manage-reviews-page)
+of the Entitlement Reviews interface. Select the desired active review(s) and click **Send
+Reminders** to send immediate reminder notifications. The Send Reminders window opens to display an
+action status.
+
+
+
+The window displays the action status. When a successful status is indicated, assigned owners were
+sent a reminder email. Click **OK** to close the Send Reminders window.
+
+_Remember,_ automatic weekly reminders can be configured on the
+[Notifications Page](/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md) of the Configuration interface.
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/interface/stopreview.md b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/stopreview.md
new file mode 100644
index 0000000000..84c60151a3
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/stopreview.md
@@ -0,0 +1,18 @@
+---
+title: "Stop Review Window"
+description: "Stop Review Window"
+sidebar_position: 50
+---
+
+# Stop Review Window
+
+The Stop Review window opens from the [Manage Reviews Page](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md#manage-reviews-page) of
+the Entitlement Reviews interface. Select the desired active review(s) and click **Stop**. The Stop
+Review window opens to confirm the action.
+
+
+
+**CAUTION:** This will prevent owners from completing the review, removing associated resources from
+their Pending Reviews list.
+
+Click **Yes** to stop the review. Click **No** to cancel the action. The Stop Review window closes.
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/interface/viewresponses.md b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/viewresponses.md
new file mode 100644
index 0000000000..846814179a
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/interface/viewresponses.md
@@ -0,0 +1,46 @@
+---
+title: "View Responses Window"
+description: "View Responses Window"
+sidebar_position: 60
+---
+
+# View Responses Window
+
+The View Responses window opens from the **View Response** button on the
+[Review Details Page](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md#review-details-page) of the Entitlement Reviews interface. It
+displays all owner-recommended changes and notes for the selected resource.
+
+
+
+The information displayed in the table includes:
+
+- Item Reviewed — Item upon which changes were suggested by the owner
+- Current — Current state of the item at the time of the review
+- Desired — Change suggested by the owner
+- Notes — Icon indicates a Note has been added. Click on the icon to read the attached note(s).
+- Approval — Status of the Review Administrator's approval
+
+ - Clock — Indicates waiting on the Review Administrator to make an official decision
+ - Green Checkmark — Indicates the Review Administrator has approved the request
+ - Red X — Indicates the Review Administrator has declined the request
+ - Yellow Question mark — Indicates the Review Administrator has deferred taking action until a
+ later time
+
+The **Show Only Changes** checkbox is selected by default to show only the items with
+owner-recommended changes. If deselected, all items included in the review are displayed. When
+selecting the items with no changes in the grid, the change buttons at the bottom of the page are
+disabled.
+
+The table data grid functions the same way as other table grids. See the
+[Data Grid Features](/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md) topic for additional information.
+
+Select an item in the table, and use the action buttons at the bottom to identify the decision:
+
+
+
+| Button | Description |
+| ---------- | ---------------------------------------------------- |
+| Accept | Accepts the selected owner-recommended change. |
+| Decline | Declines, or rejects, the owner-recommended change. |
+| Defer | Defers the owner-recommended change to a later time. |
+| View Notes | Opens the Notes window for the selected item. |
diff --git a/docs/auditor/10.8/accessreviews/entitlementreviews/overview.md b/docs/auditor/10.8/accessreviews/entitlementreviews/overview.md
new file mode 100644
index 0000000000..a4901aa787
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/entitlementreviews/overview.md
@@ -0,0 +1,82 @@
+---
+title: "Reviews Overview"
+description: "Reviews Overview"
+sidebar_position: 40
+---
+
+# Reviews Overview
+
+The Entitlement Reviews interface is where users with either the Security Team or Administrator role
+(to be referred to as Review Administrators) can manage reviews. The workflow provides a way for
+business users or data custodians (to be referred to as Owners) to attest to the access and
+privileges users have to their resources.
+
+For the purpose of the Access Reviewsapplication, a “resource” refers to the file system shared
+folders, SharePoint Online site collections, and Active Directory (AD) groups. All data available
+within the Access Reviews application is collected by Netwrix Auditor according to the synchronized
+monitoring plans.
+
+_Remember,_ Owners are assigned to resources in the Resource Owners interface. Only resources with
+assigned Owners can be included in a reviews.
+
+Who Can Run Reviews (Review Administrators)?
+
+- Console Users with Administrator role
+
+ - Can complete the Review Administrator's approval process without impacting the visibility into
+ the review created by a Review Administrator with the Security Team role
+
+ **CAUTION:** Visibility into a review created by a Review Administrator with the Security
+ Team role is blocked if a Review Administrator with the Administrator role starts a new
+ instance.
+
+- Console Users with Security Team role
+
+ - Visibility into only those reviews personally created
+
+Who Participates in Reviews?
+
+- Review Administrators — Create / start reviews and approve / process owner recommended changes
+- Owners — Perform reviews and recommend changes
+
+Types of Reviews
+
+There are two types of reviews:
+
+- Access – Review user access rights to resources
+- Membership – Review group membership
+
+See the [Entitlement Reviews Interface](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md) topic for additional information.
+
+## Workflow of Reviews
+
+Prerequisite:
+
+- The Access Reviews application is configured to send Notifications. See the
+ [Notifications Page](/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md) topic for additional information.
+
+ **NOTE:** By default, the application is configured to send notifications only to the primary
+ owner. However, this can be customized on the Configuration > Notifications page to send
+ notifications to all assigned owners.
+
+- Owners assigned to resources within the Resource Owners interface. See the
+ [Resource Owners Overview](/docs/auditor/10.8/accessreviews/resourceowners/overview.md) topic for additional information.
+
+Workflow:
+
+**_RECOMMENDED:_** When deploying the Access Reviews application in an organization to process
+reviews, owners should be notified prior to launching the first set of reviews. See the
+[Notification to Owners](/docs/auditor/10.8/accessreviews/resourceowners/overview.md#notification-to-owners) topic for additional
+information.
+
+1. Review Administrator creates a review or starts a new review instance. See the
+ [Create Review Wizard](/docs/auditor/10.8/accessreviews/entitlementreviews/create/create.md) topic for additional information.
+2. Owner performs a review. See the [Pending Reviews](/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/pendingreviews.md) topic for additional
+ information.
+3. Review Administrator approves owner recommendations. See the
+ [Approval Process](/docs/auditor/10.8/accessreviews/entitlementreviews/approvalprocess/approvalprocess.md) topic for additional information.
+4. Implement approved changes in your organization. Manually, export a list of approved changes and
+ deliver it to your IT department.
+
+When desired, the Review Administrator runs another instance of the review and the workflow starts
+again. See the [Review Instances](/docs/auditor/10.8/accessreviews/entitlementreviews/create/reviewinstances.md) topic for additional information.
diff --git a/docs/auditor/10.8/accessreviews/installation/_category_.json b/docs/auditor/10.8/accessreviews/installation/_category_.json
new file mode 100644
index 0000000000..b28bcf17a4
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/installation/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Installation Overview",
+ "position": 10,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/installation/accessreviewsconfiguration.md b/docs/auditor/10.8/accessreviews/installation/accessreviewsconfiguration.md
new file mode 100644
index 0000000000..cd0b2c64c0
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/installation/accessreviewsconfiguration.md
@@ -0,0 +1,56 @@
+---
+title: "Select Data Sources"
+description: "Select Data Sources"
+sidebar_position: 20
+---
+
+# Select Data Sources
+
+_Remember,_ the Access Reviews must already be installed on the Auditor server.
+
+You can configure Netwrix Auditor Access Reviews in two ways:
+
+- Select Data Sources in the General Settings
+- Select Data Sources in the Monitoring Plan
+
+## Select Data Sources in the General Settings
+
+If you plan to use Access Reviews for multiple data sources, configure the settings to work with the
+data sources that you select.
+
+Follow the steps to configure Access Reviews in the Netwrix Auditor.
+
+**Step 1 –** Go to **Settings > General > Access Reviews**.
+
+
+
+**Step 2 –** Click **Manage**.
+
+
+
+**Step 3 –** Select the desired data sources to review.
+
+**Step 4 –** Click **Save**.
+
+Netwrix Auditor Access Reviews is configured and ready to use in the Netwrix Auditor.
+
+## Select Data Sources in the Monitoring Plan
+
+If you plan to use Access Reviews for a specific monitoring plan, configure Access Reviews in that
+monitoring plan.
+
+Follow the steps to configure Access Reviews in the Netwrix Auditor.
+
+**Step 1 –** Go to **Configuration > Monitoring plans**.
+
+**Step 2 –** Double click the desired monitoring plan.
+
+**Step 3 –** Click **Edit data source** button on the left.
+
+
+
+**Step 4 –** Navigate to the Send data for Access Reviews and select the checkbox.
+
+**Step 5 –** Click **Save** or **Save & Close**.
+
+Netwrix Auditor Access Reviews is configured and ready to use in the Netwrix Auditor.
diff --git a/docs/auditor/10.8/accessreviews/installation/install.md b/docs/auditor/10.8/accessreviews/installation/install.md
new file mode 100644
index 0000000000..0a11c51901
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/installation/install.md
@@ -0,0 +1,79 @@
+---
+title: "Install"
+description: "Install"
+sidebar_position: 10
+---
+
+# Install
+
+Once the prerequisites have been met, follow the steps to install the Access Reviews application.
+
+**Step 1 –** Run the `AccessReviews.exe` executable, and the Netwrix Auditor Access Reviews Setup
+wizard opens.
+
+
+
+**Step 2 –** On the Welcome page, click **Next** to begin the installation process.
+
+
+
+**Step 3 –** On the End-User License Agreement page, select the **I accept the terms in the License
+Agreement** checkbox and click **Next**.
+
+
+
+**Step 4 –** On the Destination Folder page, you can choose between the default destination folder
+and a custom folder. Click **Change** to browse for a different location. When the destination is
+set as desired, click **Next**.
+
+**NOTE:** The default location is `C:\Program Files\Netwrix\Access Access Reviews\`. There are no
+specific requirements for changing the path.
+
+
+
+**Step 5 –** On the SQL Server Connection page, provide the required database information. Click
+**Next** to test the connection to the SQL Server.
+
+- Server — Enter the database server hostname (NetBIOS name, FQDN, or IP address) with the instance
+ name or non-standard port, if applicable, in one of the following formats:
+
+ - No named instance, use `[SQLHostName]`, for example `NT-SQL02`
+ - Named instance, use `[SQLHostName]\[SQLInstanceName]`, for example `NT-SQL02\Netwrix`
+ - No named instance with non-standard port, use `[SQLHostName],[PortNumber]`, for example
+ `NT-SQL02,72`
+ - Named instance with non-standard port, use `[SQLHostName]\[SQLInstanceName],[PortNumber]`, for
+ example `NT-SQL02\Netwrix,72`
+
+- Database — Enter the name of the database. By default, this is set to NetwrixAR.
+
+- Authentication – Select the Database service account type from the drop-down menu. Then enter the
+ account information in the **User Name** and **Password** fields.
+ - For Windows Authentication – **User Name** format must be `[DOMAIN]\[username]` , for example
+ `NWXTECH\ad.bruce`
+
+**NOTE:** See the [Database Page](/docs/auditor/10.8/accessreviews/admin/configuration/database.md) topic for additional
+information.
+
+
+
+**Step 6 –** If there are no errors, you will be asked to confirm creation of the new database.
+Click **Yes**.
+
+
+
+**Step 7 –** On the Configure Web Server page, you can choose between the default port and a custom
+port on which the application will be accessible. To change the port, enter a new port number in the
+field. When the port is set as desired, click **Next**.
+
+**NOTE:** The default port is 81.
+
+
+
+**Step 8 –** On the Ready to install page, click **Install** to begin the process.
+
+
+
+**Step 9 –** Once the installation has successfully completed, click **Finish** to exit the wizard.
+
+The installation wizard placed a Netwrix Auditor Access Reviews icon on the desktop. Now proceed to
+the [First Launch](/docs/auditor/10.8/accessreviews/admin/firstlaunch.md) topic for next steps.
diff --git a/docs/auditor/10.8/accessreviews/installation/overview.md b/docs/auditor/10.8/accessreviews/installation/overview.md
new file mode 100644
index 0000000000..b46d3ad4a9
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/installation/overview.md
@@ -0,0 +1,66 @@
+---
+title: "Installation Overview"
+description: "Installation Overview"
+sidebar_position: 10
+---
+
+# Installation Overview
+
+The Netwrix Auditor Access Reviews application relies on collected and analyzed data that is stored
+in a Microsoft® SQL® Server database. Netwrix Auditor must be installed and collecting data before
+installing and using the Access Reviews application. The Access Reviews Configuration tool must be
+used after installation to complete the integration of these products.
+
+**NOTE:** Access Reviews is a separately licensed product and is not included with Netwrix Auditor.
+Make sure that you have the Access Reviews license enabled in Auditor.
+
+## Prerequisites
+
+The Access Reviews application must be installed on the same server as Netwrix Auditor.
+
+### Permissions
+
+Permissions are needed to the Netwrix Auditor database and to Active Directory. This can be one
+account with sufficient rights to each or two separate accounts. For the purpose of this document,
+these will be referred to as the Database service account and the Active Directory service account.
+
+- Database service account – This is the same account used by Netwrix Auditor for a database service
+ account. This credential is required for installation.
+
+ **NOTE:** Database connection via TLS 1.2 (SQL Native Client) is supported.
+
+- Active Directory service account – The Access Reviews Console login authentication requires the
+ Active Directory service account to have rights to "read" Active Directory. This credential is
+ configured during installation based on the account used for connecting to the database. See the
+ [Active Directory Page](/docs/auditor/10.8/accessreviews/admin/configuration/activedirectory.md) topic for additional
+ information.
+
+## Software Compatibility & Versions
+
+For proper functionality, it is necessary for the version of the Access Reviews to be compatible
+with the existing Netwrix Auditor installation. If necessary,
+[Netwrix Support](https://www.netwrix.com/support.html) can confirm whether the two product versions
+are compatible.
+
+Latest Version Compatibility
+
+| Component | Current Version |
+| ------------------------------ | --------------- |
+| Netwrix Auditor Console | 10.7\* |
+| Netwrix Auditor Access Reviews | v12.0\* |
+
+Last Updated 6/6/2022
+
+See the [Upgrade Procedure](/docs/auditor/10.8/accessreviews/installation/upgrade.md) topic for additional information.
+
+## Supported Browsers
+
+Supported browsers for the Access Reviews Console include:
+
+- Google® Chrome®
+- Microsoft® Edge®
+- Mozilla® Firefox®
+
+## Screen Resolution Requirement
+
+Supported screen resolution of 1368 x 768 or greater.
diff --git a/docs/auditor/10.8/accessreviews/installation/secure.md b/docs/auditor/10.8/accessreviews/installation/secure.md
new file mode 100644
index 0000000000..95129cc5b3
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/installation/secure.md
@@ -0,0 +1,81 @@
+---
+title: "Secure Console Access"
+description: "Secure Console Access"
+sidebar_position: 30
+---
+
+# Secure Console Access
+
+Enable Secure Sockets Layer (SSL) for secure, remote connections to the application web server. In
+order to enable SSL, you need to create a certificate and then bind it to the secure port.
+
+**NOTE:** Organizations typically have one or more system administrators responsible for Public Key
+Infrastructure (PKI) and certificates. To continue with this configuration, it will first be
+necessary to confer with the PKI administrator to determine which certificate method will conform to
+the organization’s security policies.
+
+Follow the steps to enable SSL.
+
+**Step 1 –** Create an SSL Binding.
+
+**Step 2 –** Modify the AccessInformationCenter.Service.exe.Config File.
+
+The Access Reviews application is now configured to use SSL for secure, remote connections.
+
+## Create an SSL Binding
+
+You run a PowerShell command to create an SSL binding. The binding command has several environmental
+variables:
+
+- The `$certHash` value is the `Thumbprint` value.
+- The `$ip` value of the IP addresses. In the example script below, the value [0.0.0.0] is set for
+ all IP addresses.
+- The `$port` value must be accurate for your environment. The HTTP default port is 81. The HTTPS
+ default is 481. However, it can be customized during installation.
+- The `$guid` value is required for specifying a valid GUID value to identify the owning application
+ for a binding purpose. It obtained from any valid GUID.
+
+If you need to find the `$certHash` value of a certificate that was already created, run the
+PowerShell `dir` command below on the certificate's drive. This will output the Thumbprint (Hash)
+value and the certificate name:
+
+```powershell
+dir cert:\localmachine\my
+```
+
+Replace the environmental variables in the example script below. Then Run the PowerShell command to
+create an SSL binding:
+
+```powershell
+$guid = "1be32670-7644-4dce-9a5d-01643022074e"
+$certHash = "03CFD5D51A0DAA2F3DCDA9407486B220449D0E92"
+$ip = "0.0.0.0"
+$port = "481"
+"http add sslcert ipport=$($ip):$port certhash=$certHash appid={$guid}" | netsh
+```
+
+The next step is to modify the `AccessInformationCenter.Service.exe.Config` file.
+
+## Modify the AccessInformationCenter.Service.exe.Config File
+
+Follow the steps to modify the Modify the `AccessInformationCenter.Service.exe.Config` file for
+HTTPS.
+
+**Step 1 –** Open the `AccessInformationCenter.Service.exe.Config` file in a text editor, e.g.
+Notepad. It is located in the installation directory:
+
+...\Netwrix\Access Reviews
+
+
+
+**Step 2 –** Change the `BindingUrl` key value to `"https://+:481"` (ensure the port number matches
+the port number used in the PowerShell command run to create the SSL Binding.
+
+**Step 3 –** Save and close the file.
+
+**Step 4 –** Restart the Netwrix Auditor Access Reviews service in Services Manager
+`(services.msc`).
+
+The URL for the Access Reviews Console is now accessible
+`https://[Fully Qualified Domain Name for the Machine]:481` (if port 481 was used when creating the
+binding). For example, https://NEWYORKSRV10.NWXTech.com:481.
diff --git a/docs/auditor/10.8/accessreviews/installation/upgrade.md b/docs/auditor/10.8/accessreviews/installation/upgrade.md
new file mode 100644
index 0000000000..172211016c
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/installation/upgrade.md
@@ -0,0 +1,72 @@
+---
+title: "Upgrade Procedure"
+description: "Upgrade Procedure"
+sidebar_position: 40
+---
+
+# Upgrade Procedure
+
+**CAUTION:** If you are upgrading from the Netwrix Access Information Center for Netwrix Auditor to
+the Netwrix Auditor Access Reviews application, see the Special Considerations topic for upgrade
+steps.
+
+To upgrade the Access Reviews application to a newer version, simply run the new `AccessReviews.msi`
+executable. It is not necessary to uninstall the existing version. See the [Install](/docs/auditor/10.8/accessreviews/installation/install.md)
+topic for additional information.
+
+_Remember,_ the Access Reviews version must align to the compatible Netwrix Auditor version.
+
+When the installer is run over an existing version, the following is happening in the backend:
+
+- During the installation process, a Backup folder is created in the Access Reviews installation
+ directory
+
+ ...\Netwrix\Access Reviews
+
+ - The Backup folder contains the files where various settings reside listed in the table below
+
+- The backup folder files are copied over the default files laid down by the installer, preserving
+ customized settings
+- After the installation is complete, the Backup folder is removed
+
+| File | Location | Guidance |
+| ----------------------------------- | ---------------------------- | ---------------------------------------------------------------------------------------------------------------------- |
+| Email Templates (multiple files) | Located in the Backup folder | The HTML templates that are used to send notification email. These can be customized with logos or corporate branding. |
+| AccessInformationCenter.Service.exe | Located in the Backup folder | Contains custom application settings and logging levels. |
+| Version.txt | Located in the Backup folder | Indicates the version number associated with the backup contents. |
+
+## Special Considerations
+
+The originally released Netwrix Access Information Center has been rebranded to Netwrix Auditor
+Access Reviews. This rebranding project included changing the installation directory, the name of
+the service, and the default name of the database created by the installer. Follow the steps to
+replace Netwrix Access Information Center with Netwrix Auditor Access Reviews.
+
+**Step 1 –** Install the Netwrix Auditor Access Reviews application on the same server where the
+Netwrix Access Information Center was installed. See the [Install](/docs/auditor/10.8/accessreviews/installation/install.md) topic for additional
+information. On the SQL Server Connection page:
+
+- Supply the information for the existing database. The default name for the original database was
+ NetwrixAIC. However, it could have been Customized.
+- Use the same credentials for the SQL Server Connection.
+
+**NOTE:** The new destination folder will be `...\Netwrix\Access Reviews`.
+
+**Step 2 –** Launch the application and reset the Builtin Administrator password. See the
+[First Launch](/docs/auditor/10.8/accessreviews/admin/firstlaunch.md) topic for additional information.
+
+**Step 3 –** It will be necessary to add your Console Users again. See the
+[Console Access Page](/docs/auditor/10.8/accessreviews/admin/configuration/consoleaccess.md) topic for additional information.
+
+**Step 4 –** It will be necessary to configure the Notification settings. See the
+[Notifications Page](/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md) topic for additional information.
+
+**Step 5 –** If you have customized your email templates, it will be necessary to copy the Templates
+folder from the old `...\Netwrix\Access Information Center` installation directory to the new
+`...\Netwrix\Access Reviews` installation directory.
+
+All of the resources with assigned owners will be visible on the Resource Owners tab. All reviews
+will be visible on the Entitlement Reviews tab.
+
+After the upgrade has been confirmed to be successful, you can optionally remove/delete the old
+installation directory: `...\Netwrix\Access Information Center`.
diff --git a/docs/auditor/10.8/accessreviews/owneroverview/_category_.json b/docs/auditor/10.8/accessreviews/owneroverview/_category_.json
new file mode 100644
index 0000000000..82dbdba6f7
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/owneroverview/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Owners & Access Reviews",
+ "position": 50,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "owneroverview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/owneroverview/confirmationrequest.md b/docs/auditor/10.8/accessreviews/owneroverview/confirmationrequest.md
new file mode 100644
index 0000000000..f391b23b53
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/owneroverview/confirmationrequest.md
@@ -0,0 +1,42 @@
+---
+title: "Ownership Confirmation Request Email"
+description: "Ownership Confirmation Request Email"
+sidebar_position: 10
+---
+
+# Ownership Confirmation Request Email
+
+The Ownership Administrator may request ownership confirmation for a resource being managed through
+the Access Reviews application. As an assigned owner, you will receive the following email.
+
+
+
+The Ownership Confirmation Request email provides buttons for confirming (Yes) or declining (No)
+ownership of the listed resource. You will be asked to authenticate for your response to be
+processed. The application will launch in your default browser. Enter your domain credentials to
+complete the process. One of two messages will appear according to if you confirmed or declined.
+
+## Confirmed Ownership Message
+
+If you have accepted ownership for the assigned resource, the browser will display the following
+message after authentication:
+
+
+
+"Your response has been saved. You may close this window and delete the confirmation request
+e-mail."
+
+## Declined Ownership Message
+
+If you have declined ownership for the assigned resource, the browser will display the following
+message after authentication:
+
+
+
+"Before we update ownership can you suggest another owner?" Enter possible owners in the textbox.
+Click **Submit** to complete the process.
+
+
+
+"Your response has been saved. You may close this window and delete the confirmation request
+e-mail."
diff --git a/docs/auditor/10.8/accessreviews/owneroverview/owneroverview.md b/docs/auditor/10.8/accessreviews/owneroverview/owneroverview.md
new file mode 100644
index 0000000000..626acb8864
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/owneroverview/owneroverview.md
@@ -0,0 +1,25 @@
+---
+title: "Owners & Access Reviews"
+description: "Owners & Access Reviews"
+sidebar_position: 50
+---
+
+# Owners & Access Reviews
+
+This topic and its subtopics are written for users who have been assigned resource ownership.
+
+When your organization performs an access review on a resource for which you are the assigned owner,
+it means you, the business user or data custodian, need to attest to the access and privileges users
+have to your resource.
+
+**NOTE:** For the Netwrix Auditor Access Reviews application, a “resource” refers to the file system
+shared folders, SharePoint Online site collections, and Active Directory (AD) groups.
+
+Your organization's Ownership Administrator and/or Review Administrator will let you know what URL
+to use for logging in as well as what credentials to use. The URL will require you to be connected
+to your organization's network. Upon login, you will be directed to the My Reviews page where you
+can view pending and historical reviews for your resources.
+
+You may receive email notifications requesting ownership confirmation from your organization's
+Ownership Administrators. You will receive email notifications when you have a pending access review
+to perform.
diff --git a/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/_category_.json b/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/_category_.json
new file mode 100644
index 0000000000..fa3e93df56
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Pending Reviews",
+ "position": 20,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "pendingreviews"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/access.md b/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/access.md
new file mode 100644
index 0000000000..8e9b8f9bbe
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/access.md
@@ -0,0 +1,52 @@
+---
+title: "Perform an Access Review"
+description: "Perform an Access Review"
+sidebar_position: 10
+---
+
+# Perform an Access Review
+
+An Access review can be conducted for various types of data repository resources. Follow the steps
+to perform an Access review.
+
+**Step 1 –** On the Pending Reviews page, select the resource with a pending Access review and click
+**Begin Review**. The Resource Review page opens to the 1 Make changes tab.
+
+
+
+The table displays access information for the resource being reviewed:
+
+- Trustee Name — Name of the trustee with access to this resource. If the trustee is a group, click
+ the hyperlink to open the Group Membership window. See the
+ [Group Membership Window](/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/groupmembership.md) topic for additional information.
+- Access Level (Full Control, Modify, and Read) columns — Blue checkmark icon indicates current
+ access level
+
+**Step 2 –** Recommend access changes for a trustee by clicking the icon for the desired access
+level (Full Control, Modify, or Read columns). A yellow checkmark icon indicates the new level of
+access you are recommending.
+
+**Step 3 –** Recommend removing access by selecting one or more trustees and clicking the **Remove
+Access** button or by clicking on a checkmark icon. A blank yellow icon indicates you are
+recommending all access be removed; it appears in the column for the current level of access.
+
+_Remember,_ at any time you can save your recommendations and exit the review. It will remain
+pending until you submit all recommendations for this resource.
+
+**Step 4 –** When the recommended changes are set as desired, click **Next**. The 2 Review changes
+tab opens in the Resource Review page.
+
+
+
+**Step 5 –** This tab displays a filtered table of trustees with recommended changes. Confirm your
+recommendations and optionally add notes to the Review Administrator. Owners are encouraged to leave
+notes explaining why the change is recommended.
+
+**NOTE:** To make changes to your recommendations, you must return to the first tab. Click
+**Previous**.
+
+**Step 6 –** When all recommendations are confirmed and the desire notes added, click **Submit**. A
+message displays stating that the review is complete. Click **OK** to close the message window.
+
+The review for this resource is now complete. You will be redirected to the Pending Reviews page.
+Your recommended changes have been sent to the Review Administrator for approval and processing.
diff --git a/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/groupmembership.md b/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/groupmembership.md
new file mode 100644
index 0000000000..0770a451b7
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/groupmembership.md
@@ -0,0 +1,15 @@
+---
+title: "Group Membership Window"
+description: "Group Membership Window"
+sidebar_position: 30
+---
+
+# Group Membership Window
+
+When a group trustee appears in the Trustee Name column of a review, it appears as a blue hyperlink
+in addition to the group icon displayed in front of the name.
+
+
+
+Click the hyperlink to open the Group Membership window. The group’s direct membership is listed for
+review. Click **Close** to return to the review.
diff --git a/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/membership.md b/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/membership.md
new file mode 100644
index 0000000000..8c9ff1b678
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/membership.md
@@ -0,0 +1,47 @@
+---
+title: "Perform a Membership Review"
+description: "Perform a Membership Review"
+sidebar_position: 20
+---
+
+# Perform a Membership Review
+
+A Membership review is an evaluation of group membership. Follow the steps to perform a Membership
+review.
+
+**Step 1 –** On the Pending Reviews page, select the resource with a pending Membership review and
+click **Begin Review**. The Resource Review page opens to the 1 Make changes tab.
+
+
+
+The table displays membership information for the group being reviewed:
+
+- Trustee Name — Name of the trustee with group membership. If the trustee is a group, click the
+ hyperlink to open the Group Membership window. See the
+ [Group Membership Window](/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/groupmembership.md) topic for additional information.
+- Member — Blue checkmark icon indicates current membership
+
+**Step 2 –** Recommend removing membership by selecting one or more trustees and clicking the
+**Remove Access** button or by clicking on a checkmark icon. A blank yellow icon indicates you are
+recommending the trustee be removed from the group.
+
+_Remember,_ at any time you can save your recommendations and exit the review. It will remain
+pending until you submit all recommendations for this resource.
+
+**Step 3 –** When the recommended changes are set as desired, click **Next**. The 2 Review changes
+tab opens in the Resource Review page.
+
+
+
+**Step 4 –** This tab displays a filtered table of trustees with recommended changes. Confirm your
+recommendations and optionally add notes to the Review Administrator. Owners are encouraged to leave
+notes explaining why the change is recommended.
+
+**NOTE:** To make changes to your recommendations, you must return to the first tab. Click
+**Previous**.
+
+**Step 5 –** When all recommendations are confirmed and the desire notes added, click **Submit**. A
+message displays stating that the review is complete. Click **OK** to close the message window.
+
+The review for this resource is now complete. You will be redirected to the Pending Reviews page.
+Your recommended changes have been sent to the Review Administrator for approval and processing.
diff --git a/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/pendingreviews.md b/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/pendingreviews.md
new file mode 100644
index 0000000000..3001ec576f
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/pendingreviews.md
@@ -0,0 +1,89 @@
+---
+title: "Pending Reviews"
+description: "Pending Reviews"
+sidebar_position: 20
+---
+
+# Pending Reviews
+
+When your organization performs a review on a resource for which you are the assigned owner, it
+means you, the business user or data custodian, need to attest to the access and privileges users
+have to your resource. When the Review Administrator creates a new review or starts a new instance
+of an existing review, you receive an email notification that includes a link to the your pending
+reviews.
+
+
+
+Use the **Sign in** link at the bottom to open the My Reviews interface in the Access Reviews
+Console.
+
+_Remember,_ your company domain credentials are used to log in.
+
+The My Reviews interface has two pages: Pending Reviews and Review History. See the
+[Review History Page](/docs/auditor/10.8/accessreviews/owneroverview/reviewhistory.md) topic for additional information.
+
+## Pending Reviews Page
+
+The Pending Reviews page lists all of your resources included in pending reviews.
+
+
+
+The information displayed in the table includes:
+
+- Created — Date timestamp for when the review was creation. If it has been run multiple times, this
+ is the date timestamp of the last instance.
+- Review Type – Type of review:
+ - Access – Review user access rights to resources
+ - Membership – Review group membership
+- Resource Name — The icon indicates the type of resource. The resource name includes its location,
+ such as the UNC path for a file system resource, the URL for SharePoint resource, or Group name
+ (e.g., [Domain]\[Group]).
+- In Progress — Displays a clock icon for an in-progress review
+- Last Reviewed — Date timestamp when the last review took place for the resource.
+
+The table data grid functions the same way as other table grids. See the
+[Data Grid Features](/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md) topic for additional information.
+
+Performing a review means you are evaluating the resources. You can leave the resource unchanged or
+make recommendations for changes. Consider the following examples:
+
+- In an Access review, you can recommend changes to the type of access granted to the resource.
+- In a Membership Review, you can recommend removing group membership from specific users.
+
+_Remember,_ any proposed changes are not committed until the Review Administrator approves the
+recommendation and processes those changes.
+
+## Resource Review Page
+
+The Begin Review button opens the Resource Review page to start the review.
+
+
+
+The Resource Review page varies based on the type of review; however, there are several common
+features:
+
+- Tabs — This page has two tabs:
+
+ - 1 Make changes — Displays current access for the resource.
+ - 2 Review changes — Displays changes you recommend making for your review prior to submission
+
+- You are reviewing — Indicates the type of review, the resource being reviewed, and the date
+ timestamp for when the review instance was started
+- Search — Filters the table for matches to the typed value
+- Save Changes — Saves all recommended changes, enabling you to leave the review in progress and
+ return at a later time to complete it. It opens the Saving review window, which displays a status
+ for the action.
+- Remove Access — On the 1 Make changes tab, removes access from the selected trustee(s). Ctrl-click
+ can be used for multi-select. Current access blue icon with a checkmark will turn to an empty
+ yellow icon.
+- Only show changes since last review — Scopes the table to only display those items that have been
+ modified since the last review instance
+- Previous / Next buttons — Moves between the two tabs
+- Submit button — On the 2 Review changes tab, the **Next** button becomes a **Submit** button. This
+ submits your review to the Review Administrator.
+
+The content within the table varies, and additional options may appear depending on the type of
+review being conducted. See the following sections for step by step instructions:
+
+- [Perform an Access Review](/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/access.md)
+- [Perform a Membership Review](/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/membership.md)
diff --git a/docs/auditor/10.8/accessreviews/owneroverview/reviewhistory.md b/docs/auditor/10.8/accessreviews/owneroverview/reviewhistory.md
new file mode 100644
index 0000000000..bf11453a55
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/owneroverview/reviewhistory.md
@@ -0,0 +1,46 @@
+---
+title: "Review History Page"
+description: "Review History Page"
+sidebar_position: 30
+---
+
+# Review History Page
+
+The Review History page lists all completed review instances for your resources.
+
+
+
+The information displayed in the table includes:
+
+- Response Time – Date timestamp when the last review took place for the resource.
+- Review Type – Type of review
+- Resource Name – The icon indicates the type of resource. The resource name includes its location,
+ such as the UNC path for a file system resource, the URL for SharePoint resource, or Group name
+ (e.g., [Domain]\[Group]).
+- Reviewer Name – Name of the assigned owner who performed the review
+- Status – Icon indicates the decision provided by the Review Administrator: Accept, Decline, Defer,
+ or Waiting. Hover over a status icon to display its tooltip.
+
+The table data grid functions the same way as other table grids. See the
+[Data Grid Features](/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md) topic for additional information.
+
+## Review Details Window
+
+The View Details button at the bottom of the Review History page opens the Review Details window for
+a resource where changes were recommended.
+
+
+
+The information displayed in the table includes:
+
+- Item Reviewed – Item upon which changes were suggested by the owner
+- Current – Current state of the item at the time of the review. It could be the type of access (for
+ Access reviews) or being a member (for Membership reviews).
+- Desired – Change suggested by the owner. It could be the new type of access (for Access reviews)
+ or removing membership (for Membership reviews).
+- Notes – An icon here indicates notes were entered by the owner. Select the item and click the
+ **View Notes** button to open the View Notes window.
+- Status – Icon indicates the decision provided by the Review Administrator: Accept, Decline, Defer,
+ or Waiting. Hover over a status icon to display its tooltip.
+
+Click **OK** to close the window.
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/_category_.json b/docs/auditor/10.8/accessreviews/resourceowners/_category_.json
new file mode 100644
index 0000000000..90f603861f
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Resource Owners Overview",
+ "position": 30,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/confirmation/_category_.json b/docs/auditor/10.8/accessreviews/resourceowners/confirmation/_category_.json
new file mode 100644
index 0000000000..c75b071d5a
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/confirmation/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Ownership Confirmation",
+ "position": 20,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "confirmation"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/confirmation/confirm.md b/docs/auditor/10.8/accessreviews/resourceowners/confirmation/confirm.md
new file mode 100644
index 0000000000..0ace1242a0
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/confirmation/confirm.md
@@ -0,0 +1,48 @@
+---
+title: "Confirm Ownership Wizard"
+description: "Confirm Ownership Wizard"
+sidebar_position: 10
+---
+
+# Confirm Ownership Wizard
+
+The Confirm Ownership wizard is opened with the **Request Confirmation** button in the Resource
+Owners interface. It can be opened for one or multiple resources.
+
+
+
+It contains one page:
+
+- 1. Select Owners — Lists the current owner(s) for each selected resource and confirmation status
+
+## Request Ownership Confirmation
+
+Follow the steps to request ownership confirmation.
+
+**Step 1 –** In the Resource Owners interface, select the desired resource or resources and click
+Request Confirmation. The Confirm Ownership wizard opens.
+
+
+
+**Step 2 –** On the Select Owners page, you can optionally remove owners you do not want or need
+ownership confirmation from. Select those owners and click **Remove**. Those owners will not receive
+the confirmation email. Once the list is set as desired, click **Finish**. The Access Reviews
+application begins to send the confirmation email. The table provides the following information:
+
+- Resource Name — The icon indicates the type of resource. The resource name includes its location,
+ such as the UNC path for a file system resource, the URL for SharePoint resource, or Group name
+ (e.g., [Domain]\[Group]).
+- Owner Name — Name of the assigned owner
+- Confirmed — Indicates whether or not the assigned owner has confirmed ownership of that resource.
+ Tool-tips display when hovering over the icons indicating whether the resource ownership has been
+ confirmed, declined, pending response, or that a confirmation has not been requested.
+
+
+
+**Step 3 –** The action status displays on the page. When the owner confirmation notification has
+completed (100%), click Close. The Confirm Ownership wizard closes.
+
+The selected owners receive an email from the Access Reviews application asking if they are the
+owner of the assigned resource. See the
+[Ownership Confirmation Request Email](/docs/auditor/10.8/accessreviews/owneroverview/confirmationrequest.md) topic for additional
+information.
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/confirmation/confirmation.md b/docs/auditor/10.8/accessreviews/resourceowners/confirmation/confirmation.md
new file mode 100644
index 0000000000..a495247680
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/confirmation/confirmation.md
@@ -0,0 +1,34 @@
+---
+title: "Ownership Confirmation"
+description: "Ownership Confirmation"
+sidebar_position: 20
+---
+
+# Ownership Confirmation
+
+The reason for assigning owners to resources is to enable those resources to be included in reviews,
+or attestations, conducted through the application. In order for this to work, the assigned owner
+needs to claim that ownership responsibility. Resources that do not have confirmed owners may fall
+through the cracks.
+
+**NOTE:** This does require the Notification settings to be configured for the Access Reviews
+application. See the [Notifications Page](/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md) topic for
+additional information.
+
+
+
+The table in the Resource Owners interface includes a Status column. The following icons appear in
+this column to indicate the owner confirmation status:
+
+| Icon | Meaning | Description |
+| -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+|  | No Status | Indicates ownership confirmation has not been requested, and there is no ownership status at this time |
+|  | Waiting | Indicates a request for confirmation has been sent, and you are waiting for a response from the assigned owner. Hover over the icon to view the date timestamp of the request. |
+|  | Confirmed | Indicates the assigned owner confirmed ownership of the resource. Hover over the icon to view the date timestamp of the confirmation. |
+|  | Declined | Indicates the assigned owner declined ownership of the resource. These individuals would have been asked to suggest an alternative owner. Check the Notes for the resource to view this information. Hover over the icon to view the date timestamp of the decline. _Remember,_ a resource with declined ownership needs to be updated to assign a new owner. See the [Update Resource Wizard](/docs/auditor/10.8/accessreviews/resourceowners/interface/update.md) topic for additional information. |
+
+If multiple owners have been assigned, there is a choice for which assigned owner(s) should receive
+the confirmation. If multiple owners were sent the request, the column remains as a waiting symbol
+until the assigned Primary owner replies.
+
+See the [Confirm Ownership Wizard](/docs/auditor/10.8/accessreviews/resourceowners/confirmation/confirm.md) topic for additional information.
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/interface/_category_.json b/docs/auditor/10.8/accessreviews/resourceowners/interface/_category_.json
new file mode 100644
index 0000000000..2f3a7839bf
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/interface/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Resource Owners Interface",
+ "position": 10,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "interface"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/interface/add.md b/docs/auditor/10.8/accessreviews/resourceowners/interface/add.md
new file mode 100644
index 0000000000..bac0fb6248
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/interface/add.md
@@ -0,0 +1,80 @@
+---
+title: "Add New Resource Wizard"
+description: "Add New Resource Wizard"
+sidebar_position: 10
+---
+
+# Add New Resource Wizard
+
+The Add new resource wizard is opened with the **Add** button in the Resource Owners interface.
+
+
+
+It contains four pages:
+
+- 1. Select Resource — Select the resource or group to be managed by the owner
+- 2. Select Owners — Select Owners from Active Directory
+- 3. Description — Optionally enter a note describing the resource
+- 4. Summary — This page provides a preview of the settings selected within the wizard
+
+See the Add a Resource topic for additional information.
+
+## Add a Resource
+
+Follow the steps to add resources one at a time and assign owners.
+
+**Step 1 –** In the Resource Owners interface, click **Add**. The Add new resource wizard opens.
+
+
+
+**Step 2 –** On the Select Resource page, select the resource to be managed. Then click **Next**.
+
+- Search field – Begin typing the name of the resource:
+ - For File System, enter a share UNC path starting with “\\”
+ - For example, \\example\share
+ - For SharePoint, enter the site URL starting with “http://”
+ - For example, http://farm.corp.com
+ - For groups, enter the group name in NTAccount format [DOMAIN\GROUP]
+ - For example, acme\app.group
+- Browse option – Navigate through the resource tree to select the desired File System or SharePoint
+ resource.
+
+
+
+**Step 3 –** On the Select Owners page, click **Add** to browse for an owner. Repeat this Step to
+add multiple owners. See the [Add Owner Window](/docs/auditor/10.8/accessreviews/resourceowners/interface/addowner.md) topic for additional
+information.
+
+
+
+**Step 4 –** When only one owner is assigned, the owner will be the Primary by default. When
+multiple owners are assigned, the first owner in the list is the Primary owner. Use the arrow
+buttons to order the owners. Use the **Add** and **Remove** buttons to modify the list of owners.
+When the owners list is complete, click **Next**.The table has several columns with information on
+the owners:
+
+- Owner Name — Name of the assigned owner
+- Owner Account — sAMAccountName associated with the owner, as read from Active Directory
+- Owner Mail — Trustee's email address as read from Active Directory
+- Owner Title — Trustee's title as read from Active Directory
+- Owner Department — Trustee's department as read from Active Directory
+- Confirmed — Indicates whether or not the assigned owner has confirmed ownership of that resource.
+ Tool-tips display when hovering over the icons indicating whether the resource ownership has been
+ confirmed, declined, pending response, or that a confirmation has not been requested.
+
+
+
+**Step 5 –** On the Description page, optionally add a description for the resource in the textbox.
+Then click **Next**.
+
+
+
+**Step 6 –** On the Summary page, review the settings and click Finish. The Access Reviews
+application begins to process the ownership configuration.
+
+
+
+**Step 7 –** The action status displays on the page. When the task has completed (100%), click
+**Close**. The Add new resource wizard closes.
+
+This resource is now being managed through the Access Reviews application.
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/interface/addowner.md b/docs/auditor/10.8/accessreviews/resourceowners/interface/addowner.md
new file mode 100644
index 0000000000..aa8656dc06
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/interface/addowner.md
@@ -0,0 +1,18 @@
+---
+title: "Add Owner Window"
+description: "Add Owner Window"
+sidebar_position: 30
+---
+
+# Add Owner Window
+
+The Add Owner window opens from either the [Add New Resource Wizard](/docs/auditor/10.8/accessreviews/resourceowners/interface/add.md) of the
+[Update Resource Wizard](/docs/auditor/10.8/accessreviews/resourceowners/interface/update.md). This window is used to search for a user account by
+browsing Active Directory.
+
+
+
+Enter a name in the search field to find and select users from Active Directory, which populates in
+a drop-down menu as you type. If multiple domains are known to the application, ensure the correct
+domain is selected from the drop-down menu. Click **OK** and the Add Owner window closes. The
+selected user appears in the Owner list.
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/interface/confirmremoval.md b/docs/auditor/10.8/accessreviews/resourceowners/interface/confirmremoval.md
new file mode 100644
index 0000000000..ef4f2f1cd6
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/interface/confirmremoval.md
@@ -0,0 +1,23 @@
+---
+title: "Confirm Removal Window"
+description: "Confirm Removal Window"
+sidebar_position: 40
+---
+
+# Confirm Removal Window
+
+The process of removing a resource from the Resource Owners interface disassociates the owner(s)
+from the resource, it does not remove the resource from the database or from the available reports.
+Any history of actions performed by the owner for that resource will be maintained, but pending
+actions will be canceled. Pending actions may include s outstanding reviews.
+
+Follow the steps to remove a resource from being managed through the application.
+
+**Step 1 –** In the Resource Owners interface, select the resource and click Remove. The Confirm
+Removal window opens.
+
+
+
+**Step 2 –** Click Yes to complete the removal process or **No** to cancel it.
+
+The resource no longer appears in the Resource Owners interface.
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/interface/interface.md b/docs/auditor/10.8/accessreviews/resourceowners/interface/interface.md
new file mode 100644
index 0000000000..ca0cebd3a0
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/interface/interface.md
@@ -0,0 +1,64 @@
+---
+title: "Resource Owners Interface"
+description: "Resource Owners Interface"
+sidebar_position: 10
+---
+
+# Resource Owners Interface
+
+The Resource Owners interface opened by the Resource Owners tab is where Ownership Administrators
+perform many operations around assigning and managing ownership.
+
+
+
+The information displayed in the table includes:
+
+- Resource Name – The icon indicates the type of resource. The resource name includes its location,
+ such as the UNC path for a file system resource, the URL for SharePoint resource, or Group name
+ (e.g., [Domain]\[Group]).
+- Description – Description or explanation of the resource as supplied by either the Ownership
+ Administrator or the assigned owner. See the Notes & Descriptions topic for additional
+ information.
+- Owner Name – Name of the assigned owner. If there are several owners of a resource, the list is
+ comma-separated.
+- Status – Indicates whether or not the assigned owner has confirmed ownership of that resource.
+ Tool-tips display when hovering over the icons indicating whether the resource ownership has been
+ confirmed, declined, pending response, or that a confirmation has not been requested. See the
+ [Ownership Confirmation](/docs/auditor/10.8/accessreviews/resourceowners/confirmation/confirmation.md) topic for additional information.
+- Notes – Icon indicates a Note has been added. Click on the icon to read the attached note(s).
+ Notes can be added by Ownership Administrators or populated with alternative owners by individuals
+ who declined ownership. See the [Edit Notes Window](/docs/auditor/10.8/accessreviews/admin/navigate/editnotes.md) and the Notes &
+ Descriptions topics for additional information.
+- Last Reviewed – Date timestamp when the last review took place for the resource. The hyperlink
+ will open the Entitlement Reviews interface to that Review Details page displaying the historical
+ review instance. See the
+ [Review Details Page](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md#review-details-page) topic for additional
+ information.
+- Active Review – Indicates whether or not there is a pending review. The hyperlink will open the
+ Entitlement Reviews interface to that Review Details page displaying the active review instance.
+ See the [Review Details Page](/docs/auditor/10.8/accessreviews/entitlementreviews/interface/interface.md#review-details-page) topic for
+ additional information.
+
+The table data grid functions the same way as other table grids. See the
+[Data Grid Features](/docs/auditor/10.8/accessreviews/admin/navigate/datagrid.md) topic for additional information.
+
+The buttons at the bottom enable you to conduct the following actions:
+
+
+
+| Button | Function |
+| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Add | Launches the Add new resource wizard to add a new resource to the list. This allows you to add one resource at a time and assign an owner. See the [Add New Resource Wizard](/docs/auditor/10.8/accessreviews/resourceowners/interface/add.md) topic for additional information. |
+| Update | Launches the Update resource wizard for the selected resource. This allows you to make changes to the assigned owners or add/edit the resource description. See the [Update Resource Wizard](/docs/auditor/10.8/accessreviews/resourceowners/interface/update.md) topic for additional information. |
+| Remove | Opens the Confirm removal window to removes the selected resource from being managed through the application. _Remember,_ only resources with an assigned owner will be visible in the table. Removing a resource from this table does not delete the resource from the application database. See the [Confirm Removal Window](/docs/auditor/10.8/accessreviews/resourceowners/interface/confirmremoval.md) topic for additional information. |
+| Request Confirmation | Opens the Confirm Ownership wizard. Sends an email to the assigned owner(s) for the selected resource requesting ownership confirmation. See the[Confirm Ownership Wizard](/docs/auditor/10.8/accessreviews/resourceowners/confirmation/confirm.md) topic for additional information. |
+| Edit Notes | Opens the Edit Notes window for the selected resource and allows free-text editing of the notes. See the [Edit Notes Window](/docs/auditor/10.8/accessreviews/admin/navigate/editnotes.md) topic for additional information. |
+
+## Notes & Descriptions
+
+A note entered by an Ownership Administrator in the Resource Owners interface is only visible to
+those with access to this interface. This note can also be populated with alternative owners
+suggested by an individual who declined ownership.
+
+A resource description can be supplied by either the Ownership Administrator or the assigned owner,
+and is visible during Resource Review creation.
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/interface/update.md b/docs/auditor/10.8/accessreviews/resourceowners/interface/update.md
new file mode 100644
index 0000000000..09010f416f
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/interface/update.md
@@ -0,0 +1,67 @@
+---
+title: "Update Resource Wizard"
+description: "Update Resource Wizard"
+sidebar_position: 20
+---
+
+# Update Resource Wizard
+
+The Update resource wizard is opened with the **Update** button in the Resource Owners interface.
+
+
+
+It contains three pages:
+
+- 1. Select Owners — Lists the current owner(s). Modify by adding new owners, removing owners, or
+ changing owner priority order (primary, secondary, etc.)
+- 2. Description — Enter or modify a note describing the resource
+- 3. Summary — Provides a preview of the settings selected within the wizard
+
+See the Update a Resource topic for additional information.
+
+## Update a Resource
+
+Follow the steps to update ownership configuration for a resource.
+
+**Step 1 –** In the Resource Owners interface, select the desired resource and click **Update**. The
+Update resource wizard opens.
+
+
+
+**Step 2 –** The Select Owners page lists the currently assigned owner(s). Modify as desired and
+click **Next** to continue.
+
+- Add new owners — Click **Add** to browse for a new owner. See the
+ [Add Owner Window](/docs/auditor/10.8/accessreviews/resourceowners/interface/addowner.md) topic for additional information.
+- Remove an owner — Select an owner and click **Remove**
+- Change owner priority — Select an owner and use the arrow buttons to change the order
+
+_Remember,_ the first owner in the list is the primary owner. The table has several columns with
+information on the owners:
+
+- Owner Name — Name of the assigned owner
+- Owner Account — sAMAccountName associated with the owner, as read from Active Directory
+- Owner Mail — Trustee's email address as read from Active Directory
+- Owner Title — Trustee's title as read from Active Directory
+- Owner Department — Trustee's department as read from Active Directory
+- Confirmed — Indicates whether or not the assigned owner has confirmed ownership of that resource.
+ Tool-tips display when hovering over the icons indicating whether the resource ownership has been
+ confirmed, declined, pending response, or that a confirmation has not been requested.
+
+
+
+**Step 3 –** The Description page displays any description that has been provided by either the
+Ownership Administrator or the assigned owner(s) for the resource. Modify as desired by typing in
+the textbox. Then click **Next** to continue.
+
+
+
+**Step 4 –** On the Summary page, review the settings and click Finish. The Access Reviews
+application begins to process the ownership changes.
+
+
+
+**Step 5 –** The action status displays on the page. When the update has completed (100%), click
+**Close**. The Update resource wizard closes.
+
+This updates to ownership configuration have been processed.
diff --git a/docs/auditor/10.8/accessreviews/resourceowners/overview.md b/docs/auditor/10.8/accessreviews/resourceowners/overview.md
new file mode 100644
index 0000000000..61a49337de
--- /dev/null
+++ b/docs/auditor/10.8/accessreviews/resourceowners/overview.md
@@ -0,0 +1,94 @@
+---
+title: "Resource Owners Overview"
+description: "Resource Owners Overview"
+sidebar_position: 30
+---
+
+# Resource Owners Overview
+
+The Resource Owners interface is where Access Reviews Console users with either the Security Team or
+Administrator role (to be referred to as Ownership Administrators) can assign ownership of resources
+to be managed through the application. Assigned owners do not require a console user role. Resources
+to be included in the Access Reviews workflow must first be assigned owners within the Resource
+Owners interface.
+
+**_RECOMMENDED:_** The Access Reviews application is configured to send Notifications.
+
+_Remember,_ a “resource” refers to the file system shared folders, SharePoint Online site
+collections, and Active Directory (AD) groups. All data available within the Access Reviews
+application is collected by Netwrix Auditor according to the synchronized monitoring plans.
+
+“Owners” are the users who are responsible for reviewing access to the resources to which they are
+assigned.
+
+The My Reviews interface provides owners with access to historical and pending reviews. The My
+Reviews interface is only accessible to users who have been assigned ownership of at least one
+resource. Owners without a console user role are directed to the My Reviews interface at login.
+Owners with a console user role access the pending and historical reviews for their resources by
+clicking the My Reviews tab. See the [Pending Reviews](/docs/auditor/10.8/accessreviews/owneroverview/pendingreviews/pendingreviews.md)
+topic for additional information.
+
+Who Can Assign Ownership (Ownership Administrators)?
+
+- Console Users with Administrator role
+
+ - Can complete the Review Administrator's approval process without impacting the visibility into
+ the review created by a Review Administrator with the Security Team role
+
+ **CAUTION:** Visibility into a review created by a Review Administrator with the Security
+ Team role is blocked if a Review Administrator with the Administrator role starts a new
+ instance.
+
+- Console Users with Security Team role
+
+ - Visibility into only those reviews personally created
+
+What Can Resource Owners Do?
+
+- Perform an access review (when there is a pending review)
+- View historical information on access reviews
+
+See the [Resource Owners Interface](/docs/auditor/10.8/accessreviews/resourceowners/interface/interface.md) topic for additional information.
+
+## Workflow of Ownership Assignment
+
+Prerequisite:
+
+- Optional: The Access Reviews application is configured to send Notifications. See the
+ [Notifications Page](/docs/auditor/10.8/accessreviews/admin/configuration/notifications.md) topic for additional information.
+
+ **NOTE:** By default, the application is configured to send notifications only to the primary
+ owner. However, this can be customized on the Configuration > Notifications page to send
+ notifications to all assigned owners.
+
+- Owners assigned to resources must have:
+
+ - Email address to receive notifications
+ - Credentials for a domain known to the application
+
+- Resources and groups must be known to the application
+
+Workflow:
+
+**NOTE:** This workflow is not numbered because the Notification piece can occur at any time in the
+workflow.
+
+- Add resources to be managed by associating a business data owner with a resource. See the
+ [Add New Resource Wizard](/docs/auditor/10.8/accessreviews/resourceowners/interface/add.md) topic for additional information.
+- Confirm resource ownership. See the [Ownership Confirmation](/docs/auditor/10.8/accessreviews/resourceowners/confirmation/confirmation.md) topic for additional
+ information.
+- Notify owners of their responsibilities. See the Notification to Owners topic for additional
+ information.
+
+## Notification to Owners
+
+Let your owners know what their responsibilities are by notifying them with the following
+information:
+
+- An explanation of what a review is and why your organization is conducting them through the
+ Netwrix Auditor Access Reviews application.
+- How owners should log into the application console, specifically what URL and credentials to use.
+- Expectation on response times
+- How to access instructions on how to complete a review. You can link to the
+ [Owners & Access Reviews](/docs/auditor/10.8/accessreviews/owneroverview/owneroverview.md) topic or download that topic and its subtopics as a
+ PDF and make it available within your corporate resources.
diff --git a/docs/auditor/10.8/accountlockoutexaminer/_category_.json b/docs/auditor/10.8/accountlockoutexaminer/_category_.json
new file mode 100644
index 0000000000..84f069a8cb
--- /dev/null
+++ b/docs/auditor/10.8/accountlockoutexaminer/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Account Lockout Examiner",
+ "position": 90,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/accountlockoutexaminer/configure.md b/docs/auditor/10.8/accountlockoutexaminer/configure.md
new file mode 100644
index 0000000000..02751fa1d2
--- /dev/null
+++ b/docs/auditor/10.8/accountlockoutexaminer/configure.md
@@ -0,0 +1,157 @@
+---
+title: "Planning and Preparation"
+description: "Planning and Preparation"
+sidebar_position: 10
+---
+
+# Planning and Preparation
+
+Before you start using Netwrix Account Lockout Examiner, check the prerequisites and set up your
+environment, as described in this section.
+
+## System requirements
+
+Make sure that the machine where you plan install the solution meets the system requirements listed
+below.
+
+**Hardware:**
+
+| Specification | Requirement |
+| ------------- | ----------- |
+| CPU | min 1.5 GHz |
+| Memory | 1 GB RAM |
+| Disk space | 20 MB |
+
+**Software:**
+
+| Specification | Requirement |
+| ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| OS | Both 32-bit and 64-bit of the following operating systems are supported: - Windows Server 2019 - Windows Server 2016 - Windows Server 2012 R2 - Windows Server 2012 - Windows 10 - Windows 8.1 |
+
+## Accounts and rights
+
+1. The computer where **Account Lockout Examiner** will run must be a member of the domain where
+ lockouts happen.
+2. The account used to run the application must be a member of the following groups:
+ 1. **Domain Admins** group (to retrieve the necessary data from domain controllers.)
+ 2. Local **Administrators** group on the workstation where lockouts happen (to access the
+ Security event log.)
+
+In the environments with root/child domains, the account used to run Account Lockout Examiner should
+be a member of the local **Administrators** group on the workstations in both root and child
+domains.
+
+## Licensing
+
+Account Lockout Examiner is shipped with a free pre-configured license that will be valid until a
+newer version becomes available. You will be notified on the new version release by the
+corresponding message displayed in the product. Then you will need to download that new version.
+
+## Target infrastructure
+
+For the solution to connect to and retrieve the necessary information from the Windows machines that
+may become the potential lockout reasons, your infrastructure should meet the requirements listed
+below.
+
+### Target systems and platforms
+
+The following Windows machines are supported as examination targets:
+
+- Windows Server 2019
+- Windows Server 2016
+- Windows Server 2012 R2
+- Windows Server 2012
+- Windows 10
+- Windows 8.1
+
+The solution can work with the following Exchange Server versions to retrieve information needed for
+lockout reason detection:
+
+- Exchange Server 2019
+- Exchange Server 2016
+- Exchange Server 2013
+
+### Inbound firewall rules
+
+Make sure the following **Inbound** firewall rules are enabled on the Domain Controllers and domain
+computers:
+
+- File and Printer Sharing (Echo Request - ICMPv4-In)
+- Remote Event Log Management (RPC)
+- Remote Service Management (NP-In)
+- Remote Scheduled Tasks Management (RPC)
+- Remote Volume Management (RPC -EPMAP)
+- Windows Management Instrumentation (WMI-In)
+
+### Ports
+
+The following **TCP** ports should be open on the Domain Controllers and domain computers:
+
+- Port **135** — for communication using RPC
+- Dynamic ports **1024-65535** — for internal communication
+
+### Recommended network security settings
+
+Security researches revealed that NTLM and NTLMv2 authentication is vulnerable to a variety of
+malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks.
+
+To make Windows operating system use more secure protocols (e.g. Kerberos version 5), the outgoing
+NTLM authentication traffic should be disabled for the machine where Netwrix Account Lockout
+Examiner will run. (See also
+[this Microsoft article](https://docs.microsoft.com/en-us/windows/win32/secauthn/microsoft-negotiate).)
+
+For that, you need to set the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote
+servers** policy setting to **Deny All**. This can be done locally on the machine hosting Netwrix
+Account Lockout Examiner, or via Group Policy.
+
+To disable outgoing NTLM authentication traffic locally:
+
+1. Run _secpol.msc_.
+2. Browse to **Security Settings\Local Policies\Security Options**.
+3. Set the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** setting to
+ **Deny All**.
+
+To disable outgoing NTLM authentication traffic via Group Policy:
+
+1. Open _gpmc.msc_.
+2. Find the Group Policy Object (GPO) that is applied to the machine where Netwrix Account Lockout
+ Examiner runs.
+3. Edit this GPO. Browse to **Computer Configuration\Windows Settings\Security Settings\Local
+ Policies\Security Options**.
+4. Set the **Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers** setting to
+ **Deny All**.
+5. On the machine hosting Netwrix Account Lockout Examiner run the following command via the command
+ prompt:
+
+ `gpupdate /force`
+
+### Required audit settings
+
+You can configure either **Advanced audit policies** or **Basic audit policies** for the target
+machines. See Scenario A or Scenario B, respectively.
+
+Scenario A: Advanced audit policies
+
+Enable the following **Advanced audit policies** for the target machines:
+
+| Audit entry | Event ID | Success/Failure |
+| ------------------------------------- | -------- | --------------- |
+| Account Logon | | |
+| Audit Credential Validation | 4776 | Failure |
+| Audit Kerberos Authentication Service | 4771 | Failure |
+| Audit Other Account Logon Events | 4776 | Failure |
+| Account Management | | |
+| Audit User Account Management | 4740 | Success |
+| Logon/Logoff | | |
+| Audit Logon | 4625 | Failure |
+| Audit Account Lockout | 4625 | Failure |
+
+Scenario B: Basic audit policies
+
+Enable the following **basic audit policies** for the target machines:
+
+| Audit entry | Event ID | Success/Failure |
+| -------------------------- | ---------- | --------------- |
+| Audit logon events | 4625 | Failure |
+| Audit account logon events | 4776, 4771 | Failure |
+| Audit account management | 4740 | Success |
diff --git a/docs/auditor/10.8/accountlockoutexaminer/overview.md b/docs/auditor/10.8/accountlockoutexaminer/overview.md
new file mode 100644
index 0000000000..ed09f54f50
--- /dev/null
+++ b/docs/auditor/10.8/accountlockoutexaminer/overview.md
@@ -0,0 +1,70 @@
+---
+title: "Account Lockout Examiner"
+description: "Account Lockout Examiner"
+sidebar_position: 90
+---
+
+# Account Lockout Examiner
+
+## Overview
+
+**Netwrix Account Lockout Examiner** helps IT administrators to discover why an Active Directory
+account keeps locking out, so they can quickly identify the lockout reason and restore normal
+operations.
+
+You can investigate lockouts originating from the following sources:
+
+- Applications running on workstations
+- Microsoft Exchange ActiveSync devices
+- Microsoft Outlook Web Access (including mobile devices)
+- Mistyped credentials (interactive logons with incorrect password)
+- Terminal Server Sessions
+- Windows Credential Manager
+- Windows Task Scheduler
+- Windows Services
+
+## Upgrade recommendations
+
+Since the functionality of older and newer versions does not match one-to-one (see Feature
+comparison of Netwrix Account Lockout Examiner 4.1 and 5.x), there is no upgrade path for **Netwrix
+Account Lockout Examiner 4.1**.
+
+Though its users can continue working with that older version, we recommend to use the latest
+Netwrix Account Lockout Examiner to benefit from the variety of its new features and enhanced
+usability.
+
+## Feature comparison of Netwrix Account Lockout Examiner 4.1 and 5.x
+
+Netwrix Account Lockout Examiner 5.1 and later is not an evolutionary update, but rather a total
+revamp of version 4.1. Hence, the functionality of the older and newer versions does not match
+one-to-one. Feature comparison is provided in the table below.
+
+| Feature | Version 4.1 | Version 5.x |
+| ----------------------------------------------------------------- | ----------------------- | ----------------------------------------------------------------------------------------------------------- |
+| **Network/domain configuration** | | |
+| Support for multi-domain (Root-Child) configurations | No | Yes |
+| **Lockout sources** | | |
+| Applications running on workstations | No | Yes |
+| Microsoft Exchange ActiveSync devices | No | Yes |
+| Microsoft Outlook Web Access (incl. mobile devices) | No | Yes |
+| Mistyped credentials (interactive logons with incorrect password) | Yes | Yes |
+| Terminal Server Sessions | Yes | Yes |
+| Windows Credential Manager | No | Yes |
+| Windows Task Scheduler | Yes | Yes |
+| Windows Services | Yes | Yes |
+| **User experience** | | |
+| Easy to install | - | Yes |
+| Ease of troubleshooting | - | Yes |
+| **Workflow** | | |
+| Ability to unlock account & reset password | Yes | No |
+| Web-based helpdesk portal | Yes (paid version only) | No |
+| Email alerts | Yes | No – check [Netwrix Auditor](https://www.netwrix.com/auditor.html) for monitoring and alerting capabilities |
+| Online monitor on critical account status | Yes | No – check [Netwrix Auditor](https://www.netwrix.com/auditor.html) for monitoring and alerting capabilities |
+
+Users of Account Lockout Examiner 4.1 can continue using that older version, as there is no upgrade
+path, just a new installation of the latest version.
+
+We welcome any feedback and ideas you might have. You can check in on
+[Netwrix page at Spiceworks](https://community.spiceworks.com/pages/NetWrix?tab=353) or submit
+direct feedback via
+[this link](https://community.spiceworks.com/products/47099-netwrix-account-lockout-examiner).
diff --git a/docs/auditor/10.8/accountlockoutexaminer/usage.md b/docs/auditor/10.8/accountlockoutexaminer/usage.md
new file mode 100644
index 0000000000..f4d51a77ac
--- /dev/null
+++ b/docs/auditor/10.8/accountlockoutexaminer/usage.md
@@ -0,0 +1,61 @@
+---
+title: "Examining Lockouts"
+description: "Examining Lockouts"
+sidebar_position: 20
+---
+
+# Examining Lockouts
+
+To start using **Netwrix Account Lockout Examiner**, download it from Netwrix web site. Once the
+download completes, run the executable from your browser menu or from your **Downloads** folder.
+
+To find out why an Active Directory account was locked out, perform the following steps:
+
+1. Set up the auditing as described in [Planning and Preparation](/docs/auditor/10.8/accountlockoutexaminer/configure.md) section.
+2. Download the application onto a computer within the domain where lockouts happen.
+3. Run the application. When prompted, accept the end-user license agreement.
+4. If you wish, select to participate in Netwrix Customer Experience Improvement program. You can
+ later change your preference using the product settings (see the next section for details).
+
+
+
+5. In the main window, supply the name of the account that was locked out.
+6. Specify examiner credentials – the user account that will be used to run the examination, access
+ domain controllers, and so on. The account must be a member of the **Domain Admins** group.
+7. Click **Examine**.
+
+
+
+Once the examination completes, you will be presented with a list of reasons why the account you
+supplied is being locked out.
+
+## Modifying product settings
+
+After you click **Settings** in the main window, you can apply the following options:
+
+| Option | Description | Default |
+| ------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------- |
+| **Examining** | | |
+| Skip unresolved IP addresses | For safety reasons, Netwrix Account Lockout Examiner by default does not connect to the unknown and potentially dangerous IP addresses. See [this Knowledge Base article](https://kb.netwrix.com/5810) for more information. | Enabled |
+| Examine all domain controllers | Select this option if you want to examine all domain controllers to detect potential lockout reason. | Disabled |
+| **Usage statistics** | | |
+| Take part in Netwrix Customer Experience Improvement program | Select this option to participate in the program. See [this Knowledge Base article](https://kb.netwrix.com/5820) for more information on the program. | |
+
+
+
+## Troubleshooting
+
+Log files of Netwrix Account Lockout Examiner can be found in the _%ProgramData%\Netwrix Account
+Lockout Examiner\Logs_ folder.
+
+| Symptom | Cause | Solution |
+| --------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| In the environments with root/child domains, you may receive the "_Could not query ComputerName. Access is denied_." error. | The account used to run Netwrix Account Lockout Examiner is not a member of the local **Administrators** group on the workstations in both root and child domains. Administrative rights are required to access the Security Event logs on these workstations. | Make sure this account is included in the local **Administrators** group. |
+| **Issues encountered during examination** section is shown in the examination results. | Most probably this means that **Netwrix Account Lockout Examiner** cannot reach some of the data sources it needs. | - Check that you have configured the audit settings in the target domain as described in [Required audit settings](configure.md#required-audit-settings) section. - Check that network connectivity between the Account Lockout Examiner machine and the domain controllers in your domain works properly. |
+
+
+
+We welcome any feedback and ideas you might have. Please take a minute to check in on
+[Netwrix page at Spiceworks](https://community.spiceworks.com/pages/NetWrix?tab=353) or submit
+direct feedback via
+[this link](https://community.spiceworks.com/products/47099-netwrix-account-lockout-examiner).
diff --git a/docs/auditor/10.8/addon/_category_.json b/docs/auditor/10.8/addon/_category_.json
new file mode 100644
index 0000000000..794d19cc63
--- /dev/null
+++ b/docs/auditor/10.8/addon/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Add-Ons",
+ "position": 80,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/alienvaultusm/_category_.json b/docs/auditor/10.8/addon/alienvaultusm/_category_.json
new file mode 100644
index 0000000000..f86aa4d68c
--- /dev/null
+++ b/docs/auditor/10.8/addon/alienvaultusm/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "AlienVault USM",
+ "position": 10,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/alienvaultusm/automate.md b/docs/auditor/10.8/addon/alienvaultusm/automate.md
new file mode 100644
index 0000000000..5aee188592
--- /dev/null
+++ b/docs/auditor/10.8/addon/alienvaultusm/automate.md
@@ -0,0 +1,35 @@
+---
+title: "Automate Add-On Execution"
+description: "Automate Add-On Execution"
+sidebar_position: 30
+---
+
+# Automate Add-On Execution
+
+To ensure you feed the most recent data to your SIEM solution, Netwrix recommends scheduling a daily
+task for running the add-on.
+
+**Perform the following steps to create a scheduled task:**
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task Scheduler**.
+
+**Step 2 –** On the **General** tab, specify a task name. Make sure the account that runs the task
+has all necessary rights and permissions.
+
+**Step 3 –** On the **Triggers** tab, click **New** and define the schedule. This option controls
+how often audit data is exported from Auditor and saved to event log. Netwrixrecommends scheduling a
+daily task.
+
+**Step 4 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information:
+
+| Option | Value |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Action | Set to "_Start a program_". |
+| Program/script | Input "_Powershell.exe_". |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix_Auditor_Add-on_for_AlienVault_USM.ps1" -NetwrixAuditorHost 172.28.6.15 |
+
+**Step 5 –** Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/alienvaultusm/collecteddata.md b/docs/auditor/10.8/addon/alienvaultusm/collecteddata.md
new file mode 100644
index 0000000000..6aecbd739f
--- /dev/null
+++ b/docs/auditor/10.8/addon/alienvaultusm/collecteddata.md
@@ -0,0 +1,19 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 50
+---
+
+# Work with Collected Data
+
+**Step 1 –** On the computer where you executed the add-on, navigate to **Start** > **All
+Programs** > **Event Viewer**.
+
+**Step 2 –** In the Event Viewer dialog, navigate to **Event Viewer (local)** > **Applications and
+Services Logs** >Netwrix Auditor Integration log.
+
+**Step 3 –** Review events.
+
+
+
+Now you can augment Windows event log with data collected by the Auditor.
diff --git a/docs/auditor/10.8/addon/alienvaultusm/deployment.md b/docs/auditor/10.8/addon/alienvaultusm/deployment.md
new file mode 100644
index 0000000000..1dc4e72795
--- /dev/null
+++ b/docs/auditor/10.8/addon/alienvaultusm/deployment.md
@@ -0,0 +1,25 @@
+---
+title: "Choose Appropriate Execution Scenario"
+description: "Choose Appropriate Execution Scenario"
+sidebar_position: 20
+---
+
+# Choose Appropriate Execution Scenario
+
+Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can
+run the add-on on the computer where Auditor is installed or on a remote server. Depending on the
+execution scenario you choose, you have to define a different set of parameters. See the
+[Define Parameters](/docs/auditor/10.8/addon/alienvaultusm/parameters.md) topic for additional information.
+
+Netwrix suggests the following execution scenarios:
+
+| Scenario | Example |
+| ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| The add-on runs on the Auditor Server with the current user credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* AlienVault_USM.ps1 |
+| The add-on runs on the Auditor Server with explicitly defined credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* AlienVault_USM.ps1 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+| The add-on exports Activity Records from a remote Auditor Server using current user credentials and writes data to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* AlienVault_USM.ps1-NetwrixAuditorHost 172.28.6.15 |
+| The add-on exports Activity Records from a remote Auditor Server using explicitly defined credentials and writes data to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* AlienVault_USM.ps1-NetwrixAuditorHost 172.28.6.15 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/alienvaultusm/integrationeventlog.md b/docs/auditor/10.8/addon/alienvaultusm/integrationeventlog.md
new file mode 100644
index 0000000000..1b9df219ad
--- /dev/null
+++ b/docs/auditor/10.8/addon/alienvaultusm/integrationeventlog.md
@@ -0,0 +1,40 @@
+---
+title: "Integration Event Log Fields"
+description: "Integration Event Log Fields"
+sidebar_position: 60
+---
+
+# Integration Event Log Fields
+
+This section describes how the add-on fills in the Netwrix Auditor **Integration** event log fields
+with data retrieved from Activity Records.
+
+The Activity Record structure is described in the
+[Reference for Creating Activity Records](/docs/auditor/10.8/api/activityrecordreference.md)topic.
+
+| Event log field name | Filled in with value | Details |
+| -------------------- | --------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Source | **NA\_**`{Data Source Name}`** -OR- **Netwrix \_Auditor_Integration_API\_\_ | Depending on _SetDataSourceAsEventSource_ in-script parameter. |
+| EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). |
+| Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. |
+
+See the [Define Parameters](/docs/auditor/10.8/addon/alienvaultusm/parameters.md) topic for additional information.
+
+EventData is filled in with data from the Activity Record fields as follows:
+
+| Entry in EventData | Activity Record field |
+| ------------------ | --------------------- |
+| DataSource | `{DataSource}` |
+| Action | `{Action}` |
+| Message | `{Action ObjectType}` |
+| Where | `{Where}` |
+| ObjectType | `{ObjectType}` |
+| Who | `{Who}` |
+| What | `{What}` |
+| When | `{When}` |
+| Workstation | `{Workstation}` |
+| Details | `{Details}` |
+
+Details are filled in only if this Activity Record field is not empty.
+
+
diff --git a/docs/auditor/10.8/addon/alienvaultusm/overview.md b/docs/auditor/10.8/addon/alienvaultusm/overview.md
new file mode 100644
index 0000000000..08f8876dc8
--- /dev/null
+++ b/docs/auditor/10.8/addon/alienvaultusm/overview.md
@@ -0,0 +1,50 @@
+---
+title: "AlienVault USM"
+description: "AlienVault USM"
+sidebar_position: 10
+---
+
+# AlienVault USM
+
+Netwrix Auditor Add-on for SIEM helps you to get most from your SIEM investment. This topic focuses
+on the AlienVault USM SIEM solution.
+
+The add-on works in collaboration with Netwrix Auditor, supplying additional data that augments the
+data collected by the SIEM solution.
+
+The add-on enriches your SIEM data with actionable context in human-readable format, including the
+before and after values for every change and data access attempt, both failed and successful.
+Aggregating data into a single audit trail simplifies analysis, makes your SIEM more cost effective,
+and helps you keep tabs on your IT infrastructure.
+
+Implemented as a PowerShell script, this add-on facilitates the audit data transition from Netwrix
+Auditor to the SIEM solution. All you have to do is provide connection details and schedule the
+script for execution.
+
+On a high level, the add-on works as follows:
+
+1. The add-on connects to the Netwrix Auditor server and retrieves audit data using the Netwrix
+ Auditor Integration API.
+2. The add-on processes Netwrix Auditor-compatible data (Activity Records) into log events that work
+ as input for the SIEM solution. Each event contains the user account, action, time, and other
+ details.
+3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores
+ events there. These events are structured and ready for integration with the SIEM solution.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Netwrix Auditor Integration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. |
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
diff --git a/docs/auditor/10.8/addon/alienvaultusm/parameters.md b/docs/auditor/10.8/addon/alienvaultusm/parameters.md
new file mode 100644
index 0000000000..c8a8661531
--- /dev/null
+++ b/docs/auditor/10.8/addon/alienvaultusm/parameters.md
@@ -0,0 +1,43 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 10
+---
+
+# Define Parameters
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.8/addon/alienvaultusm/deployment.md) topic
+for additional information.
+
+| Parameter | Default value | Description |
+| --------------------------------- | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Connection to Netwrix Auditor** | | |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting the Auditor Server and uses default port 9699. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., 172.28.6.15, EnterpriseNAServer, WKS.enterprise.local). To specify a non-default port, provide a server name followed by the port number (e.g., WKS.enterprise.local:9999). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. The account must be assigned the Global reviewer role in Auditor or be a member of the Netwrix Auditor **Client Users** group on the computer hosting Auditor Server. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
+
+## In-Script Parameters
+
+You may also need to modify the parameters that define how EventIDs should be generated for exported
+events, though their default values address most popular usage scenarios. In-script parameters are
+listed in the table below. To modify them, open the script for edit and enter the values you need.
+
+Once set, these parameter values must stay unchanged until the last run of the script — otherwise
+dynamically calculated EventIDs will be modified and applied incorrectly.
+
+| Parameter | Default value | Description |
+| -------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **EventID generation** | | |
+| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](/docs/auditor/10.8/api/postdata/activityrecords.md) topic for additional information. |
+| IncludeDataSourceToMakeEventId\* | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to _TRUE_. |
+| SetDataSourceAsEventCategory | True | Defines whether to fill in Event Category event field with a numeric value derived from the DataSource field of Activity Record. Possible parameter values: - True — generate a numeric value for Event Category using Activity Record field - False — do not generate a numeric value, set Event Category=1 for all cases The Event Category field value is generated through CRC32 calculation that involves the DataSource field of Activity Record. Only the lowest 9 bits of the calculation result are used. |
+| SetDataSourceAsEventSource | False | Defines whether to fill in the Event Source event field with the value from the DataSource field of Activity Record. Possible parameter values: - True — fill in the Event Source with the value from DataSource field of Activity Record, adding the prefix defined by $EventSourcePrefix. Default prefix is _NA_, for example:_NA Windows Server_ - False — set Event Source to _Netwrix_Auditor_Integration_API_ for all cases If the script cannot fill in the Event Source for some DataSource, the default value _Netwrix_Auditor_Integration_API_ will be used. If the event source for particular DataSource does not exist in the Netwrix_Auditor_Integration event log, elevated privileges are required for add-on execution. |
+
+\* When configuring the **IncludeDataSourceToMakeEventId** parameter, consider that the _Object
+Type - Action_ pair may be identical for several data sources (e.g., Object='User' and
+Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID
+(duplicates). See the [Run the Add-On with PowerShell](/docs/auditor/10.8/addon/alienvaultusm/powershell.md) topic for additional
+information about duplicates.
diff --git a/docs/auditor/10.8/addon/alienvaultusm/powershell.md b/docs/auditor/10.8/addon/alienvaultusm/powershell.md
new file mode 100644
index 0000000000..f066d2b7b0
--- /dev/null
+++ b/docs/auditor/10.8/addon/alienvaultusm/powershell.md
@@ -0,0 +1,65 @@
+---
+title: "Run the Add-On with PowerShell"
+description: "Run the Add-On with PowerShell"
+sidebar_position: 40
+---
+
+# Run the Add-On with PowerShell
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+Follow the steps to run add-on with PowerShell:
+
+**Step 1 –** On computer where you want to execute the add-on, start Windows PowerShell.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell
+
+Copyright (C) 2014 Microsoft Corporation. All rights reserved.
+
+PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_Add-on_for_AlienVault_USM.ps1 - NetwrixAuditorHost
+172.28.6.15
+
+**NOTE:** If the script path contains spaces (e.g., _C:\Netwrix Add-ons_), embrace it in double
+quotes and insert the ampersand (**&**) symbol in front (e.g., & "_C:\Netwrix Add-ons_").
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of Activity Records stored in Netwrix Auditor Audit Database execution may
+take a while. Ensure the script execution completed successfully. The Netwrix Auditor Integration
+event log will be created and filled with events.
+
+By default, the Netwrix Auditor Integration event log size is set to 1GB, and retention is set to
+"_Overwrite events as needed_". For more information about event log fields, see the documentation.
+
+**NOTE:** Event records with more than 30,000 characters length will be trimmed.
+
+At the end of each run, the script creates the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDs.txt** file. It defines mapping between the
+Activity Records and related Event IDs . You can use this file to track possible duplicates of Event
+IDs created at each script execution. Duplicates, if any, are written to the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDsDuplicates.txt** file.
+
+Similarly, the add-on also creates the **Netwrix_Auditor_Event_Log_Export_Add-on_CategoriesIDs.txt**
+file that defines mapping between the Data Source and related Category ID.
+
+## Applying Filters
+
+Every time you run the script, Auditor makes a timestamp. The next time you run the script, it will
+start retrieving new Activity Records. Consider the following:
+
+- By default, the add-on does not apply any filters when exporting Activity Records. If you are
+ running the add-on for the first time (there is no timestamp yet) with no filters, it will export
+ Activity Records for the last month only. This helps to optimize solution performance during the
+ first run. At the end of the first run, the timestamp will be created, and the next run will start
+ export from that timestamp.
+
+- However, if you have specified a time period for Activity Records to be exported, then this filter
+ will be applied at the add-on first run and the runs that follow.
diff --git a/docs/auditor/10.8/addon/amazonwebservices/_category_.json b/docs/auditor/10.8/addon/amazonwebservices/_category_.json
new file mode 100644
index 0000000000..794e25fac5
--- /dev/null
+++ b/docs/auditor/10.8/addon/amazonwebservices/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Amazon Web Services",
+ "position": 20,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/amazonwebservices/automate.md b/docs/auditor/10.8/addon/amazonwebservices/automate.md
new file mode 100644
index 0000000000..fa6d6f2f0a
--- /dev/null
+++ b/docs/auditor/10.8/addon/amazonwebservices/automate.md
@@ -0,0 +1,35 @@
+---
+title: "Automate Add-On Execution"
+description: "Automate Add-On Execution"
+sidebar_position: 40
+---
+
+# Automate Add-On Execution
+
+To ensure you feed the most recent data to your SIEM solution, Netwrix recommends scheduling a daily
+task for running the add-on.
+
+**Perform the following steps to create a scheduled task:**
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task Scheduler**.
+
+**Step 2 –** On the **General** tab, specify a task name. Make sure the account that runs the task
+has all necessary rights and permissions.
+
+**Step 3 –** On the **Triggers** tab, click **New** and define the schedule. This option controls
+how often audit data is exported from Auditor and saved to event log. Netwrixrecommends scheduling a
+daily task.
+
+**Step 4 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information:
+
+| Option | Value |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Action | Set to "_Start a program_". |
+| Program/script | Input "_Powershell.exe_". |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix*Auditor_Add-on_for_Amazon_Web* Services.ps1" -NetwrixAuditorHost 172.28.6.15 |
+
+**Step 5 –** Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/amazonwebservices/collecteddata.md b/docs/auditor/10.8/addon/amazonwebservices/collecteddata.md
new file mode 100644
index 0000000000..b692a9f7ab
--- /dev/null
+++ b/docs/auditor/10.8/addon/amazonwebservices/collecteddata.md
@@ -0,0 +1,18 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 50
+---
+
+# Work with Collected Data
+
+Follow the steps to work with collected data.
+
+**Step 1 –** Start the Auditor client and navigate to **Search**.
+
+**Step 2 –** Click **Search**.
+
+
+
+You might want to apply a filter to narrow down your search results to the NetwrixAPI data source
+only.
diff --git a/docs/auditor/10.8/addon/amazonwebservices/deployment.md b/docs/auditor/10.8/addon/amazonwebservices/deployment.md
new file mode 100644
index 0000000000..821334bb89
--- /dev/null
+++ b/docs/auditor/10.8/addon/amazonwebservices/deployment.md
@@ -0,0 +1,25 @@
+---
+title: "Choose Appropriate Execution Scenario"
+description: "Choose Appropriate Execution Scenario"
+sidebar_position: 20
+---
+
+# Choose Appropriate Execution Scenario
+
+The Add-on runs on any computer in your environment. For example, you can run the add-on on the
+computer where Auditor is installed or on a remote server. Depending on the execution scenario you
+choose, you have to define a different set of parameters. See the [Amazon Web Services](/docs/auditor/10.8/addon/amazonwebservices/overview.md)
+topic for additional information.
+
+Netwrix suggests the following execution scenarios:
+
+| Scenario | Example |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The add-on runs on the Auditor Server with the current user credentials. | C:\Add-ons\Netwrix*Auditor_Add-on_for* Amazon_Web_Services.ps1 |
+| The add-on runs on the Auditor Server with the explicitly specified user credentials. | C:\Add-ons\Netwrix*Auditor_Add-on_for* Amazon_Web_Services.ps1 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+| The add-on runs on a remote computer. Data is written to a remote Auditor repository with the current user credentials. | C:\Add-ons\Netwrix*Auditor_Add-on_for* Amazon_Web_Services.ps1 -NetwrixAuditorHost 172.28.6.15 |
+| The add-on runs on a remote computer. Data is written to a remote Auditor repository with the explicitly specified user credentials and monitoring plan name. | C:\Add-ons\Netwrix*Auditor_Add-on_for* Amazon_Web_Services.ps1 -NetwrixAuditorHost 172.28.6.15 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool -NetwrixAuditorPlan Integrations |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/amazonwebservices/overview.md b/docs/auditor/10.8/addon/amazonwebservices/overview.md
new file mode 100644
index 0000000000..bb8853d45e
--- /dev/null
+++ b/docs/auditor/10.8/addon/amazonwebservices/overview.md
@@ -0,0 +1,53 @@
+---
+title: "Amazon Web Services"
+description: "Amazon Web Services"
+sidebar_position: 20
+---
+
+# Amazon Web Services
+
+Amazon Web Services (AWS) provides a wide range of cloud-based services, including solutions and
+management tools for virtualization, data storage and hosting, private networking, relational and
+NoSQL databases, and many more. AWS CloudTrail is an internal tracking service that records AWS API
+calls. Companies leverage this information for analyzing user activity patterns and detecting
+potential threats. Unfortunately, collected audit data cannot be used for future reference: AWS
+CloudTrail stores events for 7 days allowing administrators and security analysts to review data for
+only short time periods.
+
+Netwrix Auditor helps you gain complete visibility into Amazon Web Services user and service
+activity. The Add-on for Amazon Web Services extends native AWS CloudTrail auditing and reporting
+possibilities. Aggregating data into a single audit trail simplifies activity analysis and helps you
+keep tabs on your hybrid cloud IT infrastructure. With Netwrix Auditor, AWS audit data is kept for
+much longer periods of time and always ready for review in easy-to-use search interface.
+
+Implemented as a PowerShell script, this add-on automates the acquisition of Amazon Web Services
+CloudTrail logs and their transition to Netwrix Auditor. All you have to do is provide connection
+details and schedule the script for execution.
+
+On a high level, the add-on works as follows:
+
+- The add-on makes an AWS API call and collects activity events from AWS CloudTrail.
+- The add-on processes these events into Netwrix Auditor-compatible format (Activity Records). Each
+ Activity Record contains the user account, action, time, and other details.
+
+ Currently, Netwrix Auditor processes details for the following AWS events (other events can be
+ imported without details):
+
+ | | | | |
+ | -------------- | ------------------- | ------------------ | --------------- |
+ | CreateGroup | CreateUser | CreateLoginProfile | CreateAccessKey |
+ | DeleteGroup | DeleteUser | DeleteLoginProfile | DeleteAccessKey |
+ | AddUserToGroup | RemoveUserFromGroup | UpdateLoginProfile | UpdateAccessKey |
+
+- Using the Integration API, the add-on sends the activity events to the Auditor Server, which
+ writes them to the **Long-Term Archive** and the **Audit Database**.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information.
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging the Integration API. Download the latest add-on version in the Add-on Store.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information about schema
+updates.
diff --git a/docs/auditor/10.8/addon/amazonwebservices/parameters.md b/docs/auditor/10.8/addon/amazonwebservices/parameters.md
new file mode 100644
index 0000000000..44826c7340
--- /dev/null
+++ b/docs/auditor/10.8/addon/amazonwebservices/parameters.md
@@ -0,0 +1,49 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 10
+---
+
+# Define Parameters
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.8/addon/amazonwebservices/deployment.md)
+topic for additional information.
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+| Parameter or switch | Default value | Description |
+| ---------------------- | ----------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| AWSSDKInstallPath | 'C:\Program Files (x86)\AWS SDK for .NET' | Assumes that AWS SDK for .NET is installed by its default path. To specify another location, provide a path in single quotes (e.g., '_C:\Program Files (x86)\My SDKs\AWS SDK for .NET_'). |
+| ImportAllEvents | — | By deafult, only events with processed details will be imported. To import all events, set the switch during the add-on execution. **NOTE:** Importing all events makes audit data less human-readable. |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting Auditor Server and uses default port **9699**. If you want to run the add- on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15, EnterpriseNAServer,WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.enterprise.local:9999_). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. **NOTE:** The account must be assigned the **Contributor** role in Auditor. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
+| NetwrixAuditorPlan | — | Unless specified, data is written to the **Netwrix\_ Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. **NOTE:** If you select a plan name in the add-on, make sure a dedicated plan is created in Auditor, the **Netwrix API** data source is added to the plan and enabled for monitoring. Otherwise, the add-on will not be able to write data to the **Audit Database**. |
+
+## Update In-Script Parameters
+
+**Step 1 –** Right-click a script and select **Edit**. **Windows PowerShell ISE** will start.
+
+**Step 2 –** Navigate to the following lines:
+
+$RegionEndpoint = "your AWS region endpoint"
+
+$AccessKeyID = "your AWS access key ID"
+
+$SecretAccessKey = "your AWS secret access key"
+
+**Step 3 –** Update the following parameters:
+
+| Parameter | Description |
+| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| RegionEndpoint | Provide an endpoint for your region, e.g., us-east-1 (N. Virginia). **NOTE:** If you use more than one region in your environment, run the script several times with different region endpoints. See the [AWS service endpoints](https://docs.aws.amazon.com/general/latest/gr/rande.html) article for additional information. |
+| AccessKeyID | Provide an AWS access key ID for your account. Access key is used to run requests to AWS SDK, CLIs, and API. |
+| SecretAccessKey | Provide an AWS secret access key that works with your access key ID. |
+
+**Step 4 –** Save the script.
diff --git a/docs/auditor/10.8/addon/amazonwebservices/powershell.md b/docs/auditor/10.8/addon/amazonwebservices/powershell.md
new file mode 100644
index 0000000000..515847bf2b
--- /dev/null
+++ b/docs/auditor/10.8/addon/amazonwebservices/powershell.md
@@ -0,0 +1,34 @@
+---
+title: "Run the Add-On with PowerShell"
+description: "Run the Add-On with PowerShell"
+sidebar_position: 30
+---
+
+# Run the Add-On with PowerShell
+
+Follow the steps to run add-on with PowerShell:
+
+**Step 1 –** On computer where you want to execute the add-on, start Windows PowerShell.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell
+
+Copyright (C) 2014 Microsoft Corporation. All rights reserved.
+
+PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_Add-on_for_Amazon_Web_Services.ps1 -
+NetwrixAuditorHost 172.28.6.15
+
+**NOTE:** If the script path contains spaces (e.g., `C:\Netwrix Add-ons\`), embrace it in double
+quotes and insert the ampersand (&) symbol in front (e.g., & "`C:\Netwrix Add-ons\`").
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of events logged by CloudTrail it may take a while. Ensure the script
+execution completed successfully. Every time you run a script, Auditor makes a checkpoint with the
+last imported event. The next time you run the script, it will start retrieving new events.
+
+**NOTE:** By default, CloudTrail keeps events for **7** days.
diff --git a/docs/auditor/10.8/addon/arcsight/_category_.json b/docs/auditor/10.8/addon/arcsight/_category_.json
new file mode 100644
index 0000000000..8f68082292
--- /dev/null
+++ b/docs/auditor/10.8/addon/arcsight/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "ArcSight",
+ "position": 30,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/arcsight/automate.md b/docs/auditor/10.8/addon/arcsight/automate.md
new file mode 100644
index 0000000000..a853cd56d1
--- /dev/null
+++ b/docs/auditor/10.8/addon/arcsight/automate.md
@@ -0,0 +1,37 @@
+---
+title: "Automate Add-On Execution"
+description: "Automate Add-On Execution"
+sidebar_position: 40
+---
+
+# Automate Add-On Execution
+
+To ensure you feed the most recent data to ArcSight, Netwrix recommends scheduling a daily task for
+running the add-on.
+
+**To create a scheduled task**
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task Scheduler**.
+
+**Step 2 –** Select **Create Task**.
+
+**Step 3 –** On the **General** tab, specify a task name, e.g., Netwrix Auditor Add-on for ArcSight.
+Make sure the account that runs the task has all necessary rights and permissions.
+
+**Step 4 –** On the **Triggers** tab, **click** New and define the schedule. This option controls
+how often audit data is exported from Auditor and transferred to ArcSight Logger. Netwrix recommends
+scheduling a daily task.
+
+**Step 5 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information.
+
+| Option | Value |
+| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Action | Set to "_Start a program_". |
+| Program/script | Input "_Powershell.exe_". |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix*Auditor_Add-on_for_HPE* ArcSight.ps1" -ArcSightHost 172.28.6.24 - NetwrixAuditorHost 172.28.6.15 |
+
+**Step 6 –** Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/arcsight/collecteddata.md b/docs/auditor/10.8/addon/arcsight/collecteddata.md
new file mode 100644
index 0000000000..739b67d6b1
--- /dev/null
+++ b/docs/auditor/10.8/addon/arcsight/collecteddata.md
@@ -0,0 +1,25 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 50
+---
+
+# Work with Collected Data
+
+Follow the steps to see collected data.
+
+**Step 1 –** Log on to your ArcSight Logger web interface.
+
+**Step 2 –** On the **Summary** page, select the **Event Summary by Receiver** diagram and click the
+**UDP Receiver** segment (Activity Records are imported through UDP Receiver). Select **TCP
+Receiver** if you specified TCP protocol for transferring data.
+
+**Step 3 –** On the **Analyze** page that opens, review the search field. Ensure your computer is
+listed as Receiver (e.g., "_172.28.156.131 [UDP Receiver]_"). If you imported Activity Records from
+more than one Netwrix Auditor Server, add all of them in the search field.
+
+**NOTE:** You might want to modify time range and the fields shown.
+
+
+
+**Step 4 –** Review imported Activity Records.
diff --git a/docs/auditor/10.8/addon/arcsight/deployment.md b/docs/auditor/10.8/addon/arcsight/deployment.md
new file mode 100644
index 0000000000..a4bc797a6f
--- /dev/null
+++ b/docs/auditor/10.8/addon/arcsight/deployment.md
@@ -0,0 +1,25 @@
+---
+title: "Choose Appropriate Execution Scenario"
+description: "Choose Appropriate Execution Scenario"
+sidebar_position: 20
+---
+
+# Choose Appropriate Execution Scenario
+
+The Add-on runs on any computer in your environment. For example, you can run the add-on on the
+computer where Auditor is installed or on a remote server. Depending on the execution scenario you
+choose, you have to define a different set of parameters.
+
+Netwrix suggests the following execution scenarios:
+
+| Scenario | Example |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The add-on runs on the Auditor Server with the current user credentials. Data is written a remote ArcSight through UDP protocol. | C:\Add-ons\Netwrix*Auditor_Add-on_for_HPE* ArcSight.ps1 -ArcSightHost 172.28.6.18 |
+| The add-on runs on the Auditor Server with the current user credentials. Data is written a remote ArcSight through TCP protocol. | C:\Add-ons\Netwrix*Auditor_Add-on_for_HPE* ArcSight.ps1 -TCP -ArcSightHost 172.28.6.18 |
+| The add-on runs on the Auditor Server with the explicitly specified user credentials. Data is written a remote ArcSight with a non-default UDP port. | C:\Add-ons\Netwrix*Auditor_Add-on_for_HPE* ArcSight.ps1 -ArcSightHost 172.28.6.18:9999 -NetwrixAuditorUserName enterprise\NAuser - NetwrixAuditorPassword NetwrixIsCool |
+| The add-on runs on a remote computer with the current user credentials. Data is retrieved from a remote Auditor repository and written to a remote ArcSight. | C:\Add-ons\Netwrix*Auditor_Add-on_for_HPE* ArcSight.ps1 -ArcSightHost 172.28.6.24 - NetwrixAuditorHost 172.28.6.15 |
+| The add-on runs on a remote computer. Data is retrieved from a remote Auditor repository with the explicitly specified user credentials and written to a remote ArcSight. | C:\Add-ons\Netwrix*Auditor_Add-on_for_HPE* ArcSight.ps1 -ArcSightHost 172.28.6.24 - NetwrixAuditorHost 172.28.6.15 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/arcsight/overview.md b/docs/auditor/10.8/addon/arcsight/overview.md
new file mode 100644
index 0000000000..0501bb039a
--- /dev/null
+++ b/docs/auditor/10.8/addon/arcsight/overview.md
@@ -0,0 +1,54 @@
+---
+title: "ArcSight"
+description: "ArcSight"
+sidebar_position: 30
+---
+
+# ArcSight
+
+Netwrix Auditor helps you extend auditing possibilities and get most from your ArcSight investment.
+The Netwrix Auditor Add-on for ArcSight works in collaboration with Auditor, supplying additional
+data that augments the data collected by ArcSight.
+
+The add-on enriches your SIEM data with actionable context in human-readable format, including the
+before and after values for every change and data access attempt, both failed and successful.
+Aggregating data into a single audit trail simplifies analysis, makes your SIEM more cost effective,
+and helps you keep tabs on your IT infrastructure.
+
+Implemented as a PowerShell script, this add-on facilitates the audit data transition from Netwrix
+Auditor to ArcSight. All you have to do is provide connection details and schedule the script for
+execution.
+
+On a high level, the add-on works as follows:
+
+1. The add-on connects to the Netwrix Auditor Server and retrieves audit data using the Integration
+ API.
+2. The add-on processes Auditor-compatible data (Activity Records) into native ArcSight CEF format.
+ Each exported event contains the user account, action, time, and other details.
+3. The add-on uploads audit trails to ArcSight Logger making it immediately ready for review and
+ analysis. ArcSight SmartConnector configured as Syslog Daemon is supported as well.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Integration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| on... | Ensure that... |
+| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor Server side | - The Audit Database settings are configured in the Auditor. See the [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topic for additional information. - The TCP 9699 port (default Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the **Global reviewer** role in Auditor or is a member of the **Netwrix Auditor Client Users** group. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. |
+| On the ArcSight side | - The UDP Receiver is enabled and is configured to receive CEF as source and use the default port **514**. - To check receiver settings or add a new receiver, start the ArcSight Logger web interface and navigate to **Configuration** > **Receivers**.  **NOTE:** You can configure TCP Receiver and switch to TCP protocol and port **515**. - The user running the script must have sufficient permissions to supply data to ArcSight. |
+| The computer where the script will be executed | - Execution policy for powershell scripts is set to "_Unrestricted_". Run **Windows PowerShell** as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the **write** permission on the script folder—the add-on creates a special .bin file with the last exported event. |
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging the Integration API. Download the latest add-on version in the Add-on Store. See the
+[Integration API](/docs/auditor/10.8/api/overview.md)topic for additional information.
+
+The add-on was renamed due to HPE acquisition by Micro Focus. The former add-on name was Netwrix
+Auditor Add-on for HPE ArcSight. This name may still be present in the add-on files and
+documentation. ArcSight trademarks and registered trademarks are property of their respective
+owners.
diff --git a/docs/auditor/10.8/addon/arcsight/parameters.md b/docs/auditor/10.8/addon/arcsight/parameters.md
new file mode 100644
index 0000000000..ed3a87e289
--- /dev/null
+++ b/docs/auditor/10.8/addon/arcsight/parameters.md
@@ -0,0 +1,26 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 10
+---
+
+# Define Parameters
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See the[Choose Appropriate Execution Scenario](/docs/auditor/10.8/addon/arcsight/deployment.md) topic
+for additional information.
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+| Parameter or switch | Default value | Description |
+| ---------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| TCP | – | By default, UDP protocol is used. Specify the switch during the add-on execution if you want to use TCP protocol for transferring data. Via UDP, events will be sent one by one, via TCP— in a batch. |
+| ArcSightHost | – | Provide a name of the computer where ArcSight resides (e.g., 172.28.6.18, ArcSightSRV, ArcSightSRV.enterprise.local). **NOTE:** This is a mandatory parameter. Unless specified, the add- on assumes that the default port 514 is used for UDP and 515 for TCP. To specify a non-default port, provide a server name followed by the port number (e.g., _ArcSightSRV.enterprise.local:9998_). |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting Auditor Server and uses default port 9699. If you want to run the add- on on another machine, provide a name of the computer where Auditor Server resides (e.g., 172.28.6.15, EnterpriseNAServer, WKS.enterprise.local). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.enterprise.local:9999_). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. **NOTE:** The account must be assigned the **Global reviewer** role in Netwrix Auditor or be a member of the **Netwrix Auditor Client Users** group on the computer hosting Auditor Server. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
diff --git a/docs/auditor/10.8/addon/arcsight/powershell.md b/docs/auditor/10.8/addon/arcsight/powershell.md
new file mode 100644
index 0000000000..7718acf4af
--- /dev/null
+++ b/docs/auditor/10.8/addon/arcsight/powershell.md
@@ -0,0 +1,31 @@
+---
+title: "Run the Add-On with PowerShell"
+description: "Run the Add-On with PowerShell"
+sidebar_position: 30
+---
+
+# Run the Add-On with PowerShell
+
+Follow the steps to run add-on with PowerShell:
+
+**Step 1 –** On computer where you want to execute the add-on, start Windows PowerShell.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_Add-on_for_HPE_ArcSight.ps1 -
+ArcSightHost 172.28.6.24 -NetwrixAuditorHost 172.28.6.15
+
+**NOTE:** If the script path contains spaces (e.g., _C:\Netwrix Add-ons_), embrace it in double
+quotes and insert the ampersand (**&**) symbol in front (e.g., & "_C:\Netwrix Add-ons_").
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of Activity Records stored in the Audit Database execution may take a while.
+Ensure the script execution completed successfully. As a result, data will be exported to ArcSight.
+Note that events exceeding 4000 symbols are trimmed.
+
+Every time you run the script, Auditor makes a timestamp. The next time you run the script, it will
+start retrieving new Activity Records.
diff --git a/docs/auditor/10.8/addon/connectwise/_category_.json b/docs/auditor/10.8/addon/connectwise/_category_.json
new file mode 100644
index 0000000000..6b7787d37e
--- /dev/null
+++ b/docs/auditor/10.8/addon/connectwise/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "ConnectWise Manage",
+ "position": 50,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/connectwise/configure.md b/docs/auditor/10.8/addon/connectwise/configure.md
new file mode 100644
index 0000000000..aecff8bc58
--- /dev/null
+++ b/docs/auditor/10.8/addon/connectwise/configure.md
@@ -0,0 +1,85 @@
+---
+title: "Configure ConnectWise"
+description: "Configure ConnectWise"
+sidebar_position: 20
+---
+
+# Configure ConnectWise
+
+This section describes how to configure settings of the main add-on component, Netwrix Auditor
+**ConnectWise Manage Integration Service** that is required for connection to ConnectWise Manage and
+service ticket creation.
+
+Follow the steps to configure ConnectWise.
+
+**Step 1 –** To connect to ConnectWise Manage REST API, the API keys will be required. To obtain
+them, you will need an API Member account. See
+[this article](https://docs.connectwise.com/ConnectWise_Documentation/090/040/010/040) for details.
+
+**Step 2 –** Navigate to the add-on folder and run ConfigureConnection.exe. Follow the steps of the
+wizard to configure connection to ConnectWise Manage and ticketing options. At the Connection Setup
+step, specify the following:
+
+
+
+| Parameter | Description |
+| ---------- | --------------------------------------------------------------------------------------------- |
+| Site | URL of ConnectWise Manage system. |
+| Company ID | The ID of ConnectWise Manage subscriber (Managed Service Provider). |
+| PublicKey | Public key you obtained for the API Member — it will be used to access ConnectWise REST API. |
+| PrivateKey | Private key you obtained for the API Member — it will be used to access ConnectWise REST API. |
+
+**Step 3 –** At the Service Ticket Routing step, specify the following:
+
+
+
+| Parameter | Description |
+| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Company | Organization that will be recorded as ticket originator — this can be a company or MSP's managed client. |
+| Service Board | Service board where the tickets will be processed. Service tickets created by the add-on will be assigned the default ticket status for the selected service board. |
+| Service Team | Service team that will be responsible for tickets handling. |
+| Priority | Priority for ticket handling. Default is _Priority 3 — Normal Response_. |
+
+**Step 4 –** Configure how Auditor activity record fields will be mapped with **ConnectWise Manage**
+ticket fields.
+
+
+
+| Parameter | Description |
+| --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Title | Specify how the Title field of the service ticket will be filled in. Default: [Netwrix Auditor] %AlertName% That is, the Title field for tickets originating from Netwrix alerts will include the alert name with [Netwrix Auditor] prefix (e.g., _[Netwrix Auditor] Password Reset)_. |
+| Summary | Specify how the Summary field of the service ticket will be filled in. By default, it will contain the following detailed information received from the corresponding Auditor alert and activity record: Alert Details: Who: %Who% Action: %Action% Object type: %ObjectType% What: %What% When: %When% Where: %Where% Workstation: %Workstation% Details: %Details% Data source: %DataSource% Monitoring plan: %MonitoringPlanName% Item: %Item% Sent by Netwrix Auditor from %Computer% |
+| Severity Level | Specify what severity level will be assigned to the service tickets. Default is Medium. |
+| Business Impact | Specify what business impact level will be assigned to the service tickets. Default is Medium. |
+
+Optionally, you can click the Create Test Ticket button — then a test ticket will be created in
+ConnectWise Manage to help you verify the connection and ticketing settings you configured.
+Its Summary field will contain _[Netwrix Auditor] Test Alert_; its Initial Description field will
+contain _This ticket was created to test the functionality of Netwrix Auditor Add-on for ConnectWise
+Manage_. Also, the test ticket will have a sample attachment (_TestAttachment.txt_).
+
+
+**Step 5 –** Finally, at the **Summary** step, review the location of configuration file with the
+settings you specified: _C:\Addon\ITSM_CW\ConnectWiseSettings.xml_.
+
+
+
+If needed, you can edit the configuration file manually. See the
+[Connection and Ticketing Settings](/docs/auditor/10.8/addon/connectwise/connectionticketingsettings.md) topic for additional
+information.
+
+Click **Finish** to restart the add-on service so that the changes can take effect.
+
+## Transferring Configuration
+
+If necessary, you can use configuration file created with this wizard as a template for multiple
+managed clients. Perform the following steps:
+
+**Step 1 –** Open the file path provided at the **Summary** step of the wizard.
+
+**Step 2 –** Locate the **ConnectWiseSettings.xml** file and copy it to the add-on folder on another
+client's server.
+
+**Step 3 –** Then run ConfigureConnection.exe on that server to launch the configuration wizard and
+specify the necessary settings — for example, provide the managed client company name at the
+**Service Ticket Routing** step, and so on.
diff --git a/docs/auditor/10.8/addon/connectwise/connectionticketingsettings.md b/docs/auditor/10.8/addon/connectwise/connectionticketingsettings.md
new file mode 100644
index 0000000000..328db8ff00
--- /dev/null
+++ b/docs/auditor/10.8/addon/connectwise/connectionticketingsettings.md
@@ -0,0 +1,112 @@
+---
+title: "Connection and Ticketing Settings"
+description: "Connection and Ticketing Settings"
+sidebar_position: 40
+---
+
+# Connection and Ticketing Settings
+
+It is recommended that you use configuration wizard to specify connection and ticketing settings.
+However, you can adjust them manually, using the information provided in this section.
+
+## Settings for ConnectWise Ticket Creation
+
+Specify how data arriving from Auditor should be used to fill in ConnectWise ticket fields. For
+that, review `` section of the ConnectWiseSettings.xml file. The parameters inside
+this section correspond to ConnectWise ticket fields and use the same naming (e.g., priority,
+urgency).
+
+Each `` includes the `` and `` pair that defines a
+ConnectWise ticket field and a value that will be assigned to it. For most parameters, default
+values are provided. Add more ticket parameters or update values if necessary.
+
+| `` | `` | Description |
+| ------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Summary | [Netwrix Auditor] %AlertName% | Instructs the system to fill in the Summary ticket field with the Auditor alert name (e.g., _[Netwrix Auditor] Password Reset)_. |
+| InitialDescription | Alert Details: Who: %Who% Action: %Action% Object type: %ObjectType% What: %What% When: %When% Where: %Where% Workstation: %Workstation% Details: %Details% Data source: %DataSource% Monitoring plan: %MonitoringPlanName% Item: %Item% Sent by Netwrix Auditor from %Computer% | Instructs the system to fill in the InitialDescription ticket field with the Auditor activity record data. To read more about activity records, see the [Reference for Creating Activity Records](/docs/auditor/10.8/api/activityrecordreference.md) topic for additional information. You may need to fill in the internal description intended for use by MSP only (this description will not be visible to managed clients), perform the following steps: **Step 1 –** Run the configuration wizard (or modify _ConnectWiseSettings.xml_) to specify the settings you need. **Step 2 –** Then open _ConnectWiseSettings.xml_ for edit. **Step 3 –** Locate the **InitialDescription** parameter and change the Name attribute to _initialInternalAnalysis_. |
+| Impact/Urgency | Medium | Instructs the system to set ticket Impact/Urgency to _Medium_. |
+
+## Parameters for Handling Related Tickets
+
+Review the `` section. It shows what information about related tickets will
+be included in your current ticket. Update the template if necessary.
+
+| CorrelationTicketFormat | Description |
+| --------------------------------------------------- | --------------------------------------------------------------------------------------------------------- |
+| Previous incident for the same alert type: Id: %id% | The service will automatically substitute parameters from this section with values from a related ticket. |
+
+## Parameters for Reopening Tickets
+
+Review the `` section. It defines the tickets the add-on can reopen
+automatically.
+
+| Name | Description |
+| ------------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| ClosedTicketStates TicketState | Lists closed ticket statuses. By default, resolved, closed, and canceled tickets can be reopened. To specify a new status, provide its ID in the `` tag (e.g., 8 for canceled). |
+| NewState | Defines a ticket status once it is reopened. By default, is set to _new_. To specify another status, provide its ID in the `` tag (e.g., _1_ for _new_). |
+
+When finished, save your changes to configuration file.
+
+Remember to restart the add-on service every time you update any of configuration files.
+
+## Review Other Parameters
+
+You can update other parameters with your own values if necessary; however, it is recommended that
+you contact Netwrixbefore modifying this section.
+
+| Name | Description |
+| --------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| IgnoreUploadAttachmentError | Instructs the add on to ignore the attachment upload errors. - If false, a corresponding error message will be displayed. - If true, the file that failed to upload will be stored to the **MissingAttachments** subfolder in the add-on folder. Error message will not appear on the screen; instead, the following record will be written to the add-on log: _Attached files for ticket id: `{0}` dumped: '`{attachmentPath}`'_ Default parameter value is **true**. |
+
+You can also review the `` section. It shows information related to ConnectWise
+Manage objects.
+
+Example:
+
+```xml
+
+
+ company
+
+
+ id
+
+ 42
+
+
+
+
+
+ board
+
+
+ id
+
+ 1
+
+
+
+
+
+ priority
+
+
+ id
+
+ 4
+
+
+
+
+
+ team
+
+
+ id
+
+ 25
+
+
+
+
+```
diff --git a/docs/auditor/10.8/addon/connectwise/deployment.md b/docs/auditor/10.8/addon/connectwise/deployment.md
new file mode 100644
index 0000000000..bac39990cf
--- /dev/null
+++ b/docs/auditor/10.8/addon/connectwise/deployment.md
@@ -0,0 +1,44 @@
+---
+title: "Deploy the Add-On"
+description: "Deploy the Add-On"
+sidebar_position: 10
+---
+
+# Deploy the Add-On
+
+Follow the steps to deploy the Add-On for ConnectWise.
+
+**Step 1 –** Prepare Auditor for using the add-on:
+
+1. In the Auditor settings, enable Integration API and specify connection port. See the
+ [Integrations](/docs/auditor/10.8/admin/settings/integrations.md) topic for additional information.
+2. Make sure your monitoring plans set up in Auditor are using Audit Databases to store collected
+ data. See the [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topic for additional
+ information.
+
+**Step 2 –** Download the add-on package and copy it to the computer where Auditor Server resides.
+
+**Step 3 –** Unpack the ZIP archive to a folder of your choice; by default, it will be unpacked to
+the Netwrix Auditor Add-On for ConnectWise Manage folder.
+
+**Step 4 –** Run the install.cmd file. It will deploy and enable the Netwrix Auditor **ConnectWise
+Manage Integration Service**.
+
+**Step 5 –** Run the ConfigureConnection.exe and follow the steps of the wizard to configure
+connection and ticketing settings for ConectWise Manage. See the
+[Configure ConnectWise ](/docs/auditor/10.8/addon/connectwise/configure.md)topic for additional information.
+
+**Step 6 –** (optional) To adjust the add-on operation and data flow settings, edit the
+ITSMSettings.xml file. See the [Operational Settings](/docs/auditor/10.8/addon/connectwise/operationalsettings.md) topic for additional
+information.
+
+**Step 7 –** In Auditor, go to Alerts, select the required alerts, click Edit, and in the Response
+Action section of the alert properties specify the full path to Netwrix.ITSM.AlertResponseAction.exe
+file (the add-on component responsible for alert handling), for example,
+_C:\Addon\ITSM_CW\Netwrix.ITSM.AlertResponseAction.exe_.
+
+## Enabling TLS 1.2 Usage
+
+The add-on supports Transport Layer Security (TLS) 1.2 security protocol. By default, this
+capability is disabled. To enable it, in the **ConnectWiseSettings.xml**, locate the
+**``** parameter and set its value to _TRUE_.
diff --git a/docs/auditor/10.8/addon/connectwise/msp.md b/docs/auditor/10.8/addon/connectwise/msp.md
new file mode 100644
index 0000000000..c7d5d8308e
--- /dev/null
+++ b/docs/auditor/10.8/addon/connectwise/msp.md
@@ -0,0 +1,27 @@
+---
+title: "MSP Usage Example"
+description: "MSP Usage Example"
+sidebar_position: 30
+---
+
+# MSP Usage Example
+
+Consider a situation when a password is reset for a user, computer, or **inetOrgPerson** account.
+
+After deploying and configuring the add-on as described in this guide, the MSP (Managed Service
+Providers) staff member enabled Auditor integration feature:
+
+
+
+Also, she enabled the ‘**Password Reset**’ alert from the Auditor predefined set of alerts and
+specified the add-on launch as response action.
+
+
+
+Then a new ticket is automatically created shortly after any account password is reset.
+
+All necessary details about the case are automatically entered into the ConnectWise ticket (_Initial
+Description_ field), including the name of the workstation, the name of the account in question, and
+the time when the event occurred:
+
+
diff --git a/docs/auditor/10.8/addon/connectwise/operationalsettings.md b/docs/auditor/10.8/addon/connectwise/operationalsettings.md
new file mode 100644
index 0000000000..3c7c99de1d
--- /dev/null
+++ b/docs/auditor/10.8/addon/connectwise/operationalsettings.md
@@ -0,0 +1,48 @@
+---
+title: "Operational Settings"
+description: "Operational Settings"
+sidebar_position: 50
+---
+
+# Operational Settings
+
+This section describes how to configure settings of the main add-on component, Netwrix Auditor
+**ConnectWise Manage Integration Service**, required for its operation, including connection to
+Auditor Server, activity records processing, queuing and forwarding, ticket creation, and so on.
+
+For that, follow the steps:
+
+**Step 1 –** Navigate to the add-on folder and select ITSMSettings.xml.
+
+**Step 2 –** Define operational parameters such as Auditor connection settings, the number of
+tickets the service can create per hour, ability to reopen closed tickets, etc. For most parameters,
+default values are provided. You can adjust them depending on your execution scenario and security
+policies. Use the following format: `value`.
+
+| Parameter | Default value | Description |
+| ----------------------------------- | ---------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| NetwrixAuditorHost | https://localhost:9699 | The add-on runs on the computer where Auditor Server resides and uses the default Integration API port (TCP port **9699**). To specify a non-default port, provide a new port number (e.g., _https://localhost:8788_). The add-on must always run locally, on the computer where Auditor Server resides. |
+| NetwrixAuditorUserName | — | Unless specified, the Netwrix Auditor **ConnectWise Manage Integration Service** runs under the LocalSystem account. If you want this service to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format in this parameter value. The user account for running the service and connecting to Auditor Server must be granted the Global administrator role in Auditor or be a member of the Netwrix Auditor **Administrators** group. It must also have sufficient permissions to create files on the local computer. |
+| NetwrixAuditorPassword | — | Provide a password for the account. Unless an account is specified, the service runs under the LocalSystem account and does not require a password. |
+| TicketFloodLimit | 10 | Specify the maximum number of standalone tickets the service can create during TicketFloodInterval. If a ticket flood limit is reached, the service writes all new alerts into a single ticket. |
+| TicketFloodInterval | 3600 | Specify the time period, in seconds. During this time period, the service can create as many tickets as specified in TicketFloodLimit. The default value is 3600 seconds, i.e., 1 hour. |
+| ConsolidationInterval | 900 | Specify the time period, in seconds. During this time period, the service does not process similar alerts as they happen but consolidates them before updating open tickets. The default values is 900 seconds, i.e., 15 minutes. This option works in combination with UpdateTicketOnRepetitiveAlertsand is helpful if you want to reduce the number of ticket updates on ConnectWise Manage side. I.e., this option defines the maximum delay for processing alerts and updating existing tickets. Tickets for new alert types are created immediately. For example, a new alert is triggered—the service opens a new ticket. The alert keeps firing 20 times more within 10 minutes. Instead of updating the ticket every time, the service consolidates alerts for 15 minutes, and then updates a ticket just once with all collected data. |
+| CheckAlertQueueInterval | 5 | Internal parameter. Check and process the alert queue every N seconds; in seconds. |
+| UpdateTicketOnRepetitiveAlerts | true | Instead of creating a new ticket, update an existing active ticket if a similar alert occurs within UpdateInterval. To open a new ticket for every alert, set the parameter to _"false"_. |
+| ReopenTicketOnRepetitiveAlerts | true | Instead of creating a new ticket, reopen an existing ticket that is in a closed state (be default, closed, canceled, and resolved) if a similar alert occurs within UpdateInterval. This option works only when UpdateTicketOnRepetitiveAlerts is set to _"true"_. If you want to reopen closed tickets, you must be granted the right to perform Write operations on inactive tickets. |
+| UpdateInterval | 86400 | Specify the time period, in seconds. If a similar alert occurs in less than N seconds, it is treated as a part of an existing ticket. The default value is 86400 seconds, i.e., 24 hours. If an alerts is triggered after the UpdateInterval is over, a new ticket is created. |
+| EnableTicketCorrelation | true | Review history and complement new tickets with information about similar tickets created previously. This information is written to the Description field. This option is helpful if you want to see if there is any correlation between past tickets (from the last month, by default) and a current ticket. |
+| CorrelationInterval | 2592000 | Specify the time period, in seconds. During this time period, the service treats similar tickets as related and complements a new ticket with data from a previous ticket. The default value is 2592000 seconds, i.e., 1 month. Information on alerts that are older than 1 month is removed from internal service storage. |
+| ProcessActivityRecord QueueInterval | 5 | Internal parameter. Process activity record queue every N seconds; in seconds. |
+| DisplayOnlyFirstActivityRecord | true | Add only the first activity record in the work notes, activity records that update this ticket will be added as attachments to this ticket. If false, all activity records will be displayed in the ticket work notes. |
+| ActivityRecordRequestsRetention | | |
+| RequestLimit | 5000 | Internal parameter. The maximum number of activity record requests the service can store in its internal memory. Once the limit is reached, the service clears activity record requests starting with older ones. |
+| RequestLimitInterval | 604800 | Internal parameter. The service can store the activity record requests not older than N seconds; in seconds. Older activity record requests are cleared. |
+| ActivityRecordWebRequests | | |
+| RequestLimit | 200 | Internal parameter. The maximum number of activity records the service can retrieve in a single request. |
+| RequestTimeout | 180 | Internal parameter. By default, 3 minutes. Defines the connection timeout. |
+| TicketRequestsRetention | | |
+| RequestLimit | 300000 | Internal parameter. The maximum number of ticket requests the service can store in its internal memory. Once the limit is reached, the service clears ticket requests starting with older ones. |
+| RequestLimitInterval | 604800 | Internal parameter. The service can store the ticket requests not older than N seconds; in seconds. Older tickets requests are cleared. |
+
+**Step 3 –** Restart the service every time you update ITSMSettings.xml configuration file.
diff --git a/docs/auditor/10.8/addon/connectwise/overview.md b/docs/auditor/10.8/addon/connectwise/overview.md
new file mode 100644
index 0000000000..ad0ec483ed
--- /dev/null
+++ b/docs/auditor/10.8/addon/connectwise/overview.md
@@ -0,0 +1,81 @@
+---
+title: "ConnectWise Manage"
+description: "ConnectWise Manage"
+sidebar_position: 50
+---
+
+# ConnectWise Manage
+
+Managed Service Providers (MSP) need to effectively utilize and standardize IT service management
+tools. Those who use for that purpose the ConnectWise Manage solution usually have similar processes
+in place:
+
+- When an incident or a problem occurs in the IT environment, managed client sends (usually by
+ email) a request to the MSP’s service desk. A service ticket is then created manually or
+ automatically in ConnectWise Manage.
+- Each ticket is assigned to authorized personnel for investigation and resolution in accordance
+ with the existing workflow.
+- To control ticket handling and report on statistics, ConnectWise service boards are used.
+
+Netwrix has built a ready-to-use add-on that automates incident management, automatically creating
+service tickets for security alerts triggered by Netwrix Auditor This integration brings in the
+following benefits:
+
+- Seamless integration with the existing MSP service process
+- Speeding up the process of restoring secure, normal business service
+- Minimizing the gap between incident detection and the start of a resolution process
+- Automating ticket handling and reducing human errors that could impact its quality
+- Meeting or exceeding service level agreements (SLAs) while saving time and effort
+
+To implement the solution, Managed Service Provider does the following on the client side:
+
+1. Deploys and maintains Netwrix Auditor that monitors users’ activity and configuration changes
+2. Installs and configures integration solution (add-on) on Netwrix Auditor Server
+3. Controls ticket resolution and corrective measures
+
+On a high level, the workflow is as follows:
+
+
+
+1. Managed Service Provider installs and configures the add-on on AuditorServer. MSP also enables
+ the necessary alerts in Netwrix Auditor, specifying add-on launch as the response action in the
+ alert settings.
+2. Whenever the alert is triggered, the add-on uses the Integration API to retrieve activity record
+ for the original event from the audit store. An activity record contains the user account,
+ action, time, and other details. The add-on creates a service ticket in ConnectWise Manage,
+ populates it with data from the activity record, and assigns Impact, Priority and SLA status to
+ the ticket.
+3. The designated service team performs data analysis and root cause detection to resolve the
+ ticket; MSP is notified of the results and possible response actions to take on the client side.
+4. MSP performs actions for incident response.
+
+Solution architecture and key components are shown in the figure below:
+
+
+
+- **Alert Handler (Netwrix.ITSM.AlertResponseAction.exe)** — the executable that is specified in the
+ Auditor alerts as the response action. Alert Handler:
+ 1. Receives the IDs of the alert and associated activity record.
+ 2. Forwards them to the Netwrix AuditorConnectWise Manage Integration Service over RPC, putting
+ the alert into the service queue.
+
+For details on the alert response action, see the
+[Configure a Response Action for Alert](/docs/auditor/10.8/admin/alertsettings/responseaction.md) topic for
+additional information.
+
+- **Netwrix Auditor ConnectWise Manage Integration Service (Netwrix.ITSM.IntegrationServiceCW.exe)**
+ — the main component of the solution, implemented as Windows service. It does the following:
+ 1. Interacts with Auditor via its Integration API to retrieve the activity records from the
+ Audit Database by record ID.
+ 2. Forwards activity record data to ConnectWise Manage via its REST API, creates a new service
+ ticket and populates its properties, as specified by user in the add-on configuration.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| Location | Prerequisites |
+| ------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Auditor Server | - The add-on supports Auditor version 9.96. - The add-on will run on the computer where Auditor Server works, so the add-on package should be copied to that machine. - For add-on operation, **NET 4.5** framework is required on Auditor Server. - Starting with add-on build 1.0.12.0, **TLS 1.2** protocol is supported. By default, this capability is disabled. For detailed information on enabling it, see the [Deploy the Add-On](/docs/auditor/10.8/addon/connectwise/deployment.md) topic for additional information. **Auditor settings** - The Audit Database settings should be configured in Auditor Server. - Monitoring plans should be configured to store data to the Audit Database. - The **TCP 9699** port (default Integration API port) should be open for inbound connections. **Required permissions** - Unless specified, the **Netwrix.ITSM.IntegrationServiceCW.exe** Windows service (main add-on co mponent) will run under the **LocalSystem** account. - The account that will be used by Netwrix.ITSM.IntegrationServiceCW.exe component to access Auditor Server must be granted the Global administrator role in Auditor. -OR- be a member of the Netwrix Auditor **Administrators** group. |
+| ConnectWise Manage | - By default, the add-on connects to the latest version of the ConnectWise Manage application (v4_6_release). **Required permissions** - To connect to ConnectWise Manage via its REST API, you will require an API Member account — it is needed to log in to ConnectWise Manage. See [this article](https://docs.connectwise.com/ConnectWise_Documentation/090/040/010/040) for details. - It is recommended to assign the **API Member** account to a limited security role with the following permissions: - **System** – **Table Setup** – **Inquire Level** = **All** - **Companies** – **Company Maintenance** – **Add(all)**, **Inquire(all)** - **Companies** – **Manage Attachments** – **Add(all)**, **Inquire(all)** - **Service Desk** – **Service Tickets** – **Add(all)**, **Inquire(all)** |
diff --git a/docs/auditor/10.8/addon/copilot/_category_.json b/docs/auditor/10.8/addon/copilot/_category_.json
new file mode 100644
index 0000000000..901ff91fa5
--- /dev/null
+++ b/docs/auditor/10.8/addon/copilot/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Copilot",
+ "position": 70,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/copilot/collecteddata.md b/docs/auditor/10.8/addon/copilot/collecteddata.md
new file mode 100644
index 0000000000..32c1b9d4a0
--- /dev/null
+++ b/docs/auditor/10.8/addon/copilot/collecteddata.md
@@ -0,0 +1,25 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 20
+---
+
+# Work with Collected Data
+
+To leverage data collected with the add-on, you can do the following in Auditor:
+
+- Search for required data. For that, start Auditor client and navigate to **Search**. After
+ specifying the criteria you need, click **Search**. You will get a list of activity records with
+ detailed information on who did what in the reported time period.
+
+You might want to apply a filter to narrow down your search results to the Netwrix API data source
+only.
+
+- You can also click **Tools** in the upper-right corner and select the command you need. For
+ example:
+ - If you want to periodically receive the report on the results of search with the specified
+ criteria, click **Subscribe**. Then specify how you want the report to be delivered – as an
+ email or as a file stored to the file share.
+ - To create an alert on the specific occurrences, click **Create alert**.
+ - To export filtered data to PDF or CSV, click **Export data**.
+- You can also configure and receive alerts on the events you are interested in.
diff --git a/docs/auditor/10.8/addon/copilot/deployment.md b/docs/auditor/10.8/addon/copilot/deployment.md
new file mode 100644
index 0000000000..c3d4a8a8cc
--- /dev/null
+++ b/docs/auditor/10.8/addon/copilot/deployment.md
@@ -0,0 +1,50 @@
+---
+title: "Deployment Procedure"
+description: "Deployment Procedure"
+sidebar_position: 10
+---
+
+# Deployment Procedure
+
+Follow the steps to install Microsoft Copilot add-on.
+
+**Step 1 –** Accept EULA.
+
+**Step 2 –** Select the installation folder and click **Next**.
+
+**Step 3 –** Click **Install**. The wizard will start and ask the additional parameters.
+
+## Configure Copilot for Monitoring
+
+Follow the steps to configure Copilot for monitoring.
+
+**Step 1 –** Make sure you have a storage account to store logs. To reduce the volume of the stored
+logs and the corresponding cost, it is recommended to create a rule in Life Cycle Management for
+this storage. Netwrix Auditor doesn't need historic logs, after the add-on has written them into the
+database. Refer to the
+[corresponding Microsoft article](https://learn.microsoft.com/en-us/azure/storage/blobs/lifecycle-management-overview?tabs=azure-portal)
+for additional information.
+
+**Step 2 –** Register an Azure App and grant it the following permissions:
+
+- Microsoft.Graph — Domain.Read.All
+- Office 365 Management APIs — ActivityFeed.Read
+
+## Configure the add-on
+
+Follow the steps to configure the add-on.
+
+**Step 1 –** Specify Active Directory credentials.
+
+- Username – Provide the name of the account under which the service runs. Unless specified, the
+ service runs under the account currently logged on.
+- Password – Provide the password for the selected account.
+
+
+
+**Step 2 –** Enter Tenant ID, App ID and App Secret of the Azure App you registered for the add-on.
+Click **Next**.
+
+
+
+**Step 3 –** Click **Run** and close the window. The service should start the data collection now.
diff --git a/docs/auditor/10.8/addon/copilot/overview.md b/docs/auditor/10.8/addon/copilot/overview.md
new file mode 100644
index 0000000000..7674d23bb5
--- /dev/null
+++ b/docs/auditor/10.8/addon/copilot/overview.md
@@ -0,0 +1,51 @@
+---
+title: "Copilot"
+description: "Copilot"
+sidebar_position: 70
+---
+
+# Copilot
+
+Microsoft Copilot is an AI-powered assistant designed to help users in Microsoft 365 apps like Word,
+Excel, and Teams. It leverages large language models to assist with tasks such as generating
+content, analyzing data, and automating workflows.
+
+To retrieve activity logs on Copilot interactions, the Add-on requires an Azure App registration.
+This allows the application to interact with Microsoft services by obtaining necessary logs and data
+related to Copilot activity.
+
+The Netwrix Auditor Add-On for Microsoft Copilot works in collaboration with Netwrix Auditor. To get
+the add-on up and running, refer the following topics:
+
+- [Deployment Procedure](/docs/auditor/10.8/addon/copilot/deployment.md)
+- [Work with Collected Data](/docs/auditor/10.8/addon/copilot/collecteddata.md)
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+- The Audit Database settings are configured in Auditor Server. See the
+ [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and
+ [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information.
+- The TCP 9699 port (default Integration API port) is open for inbound connections.
+- The user writing data to the Audit Database is granted the Contributor role in Auditor. See the
+ [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional
+ information.
+- Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor
+ Administrators group. In this case, this user will have the most extended permissions in the
+ product.
+- Active Directory Domain Services or Microsoft Entra Kerberos is used as an Identity source. See
+ the [Deployment Procedure](/docs/auditor/10.8/addon/azurefiles/deployment.md) topic for additional information.
+
+## How the Copilot Add-on Works
+
+On a high level, the add-on works as follows:
+
+- The add-on collects integration logs from the specified Azure storage account. This includes the
+ information about the documents that have been used.
+- The add-on reworking the collected logs into the Netwrix Auditor compatible format, which is
+ Activity Records. Each Activity Record contains the user information, such as an account, action,
+ time, and other details.
+- Using the Integration API, the add-on sends the activity records to the Netwrix Auditor Server,
+ which writes them to the Long-Term Archive and the Audit Database.
diff --git a/docs/auditor/10.8/addon/ctera/_category_.json b/docs/auditor/10.8/addon/ctera/_category_.json
new file mode 100644
index 0000000000..452718b09e
--- /dev/null
+++ b/docs/auditor/10.8/addon/ctera/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Ctera",
+ "position": 60,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/ctera/collecteddata.md b/docs/auditor/10.8/addon/ctera/collecteddata.md
new file mode 100644
index 0000000000..c233d88d49
--- /dev/null
+++ b/docs/auditor/10.8/addon/ctera/collecteddata.md
@@ -0,0 +1,57 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 30
+---
+
+# Work with Collected Data
+
+To leverage data collected with the add-on, you can do the following in Auditor:
+
+- Search for required data. For that, start Auditor client and navigate to **Search**. After
+ specifying the criteria you need, click **Search**. You will get a list of activity records with
+ detailed information on who did what in the reported time period.
+
+You can apply a filter to narrow down your search results to the Netwrix **API** data source only.
+
+
+
+- Also, you can click **Tools** in the upper-right corner and select the command you need. For
+ example:
+ - If you want to periodically receive the report on the results of search with the specified
+ criteria, click **Subscribe**. Then specify how you want the report to be delivered – as an
+ email or as a file stored to the file share.
+ - To create an alert on the specific occurrences, click **Create alert**.
+ - To export filtered data to PDF or CSV, click **Export data**.
+- You can also configure and receive alerts on the events you are interested in.
+
+See the following topics for additional information:
+
+- [Alerts](/docs/auditor/10.8/admin/alertsettings/overview.md)
+- [View and Search Collected Data](/docs/auditor/10.8/admin/search/overview.md)
+- [Subscriptions](/docs/auditor/10.8/admin/subscriptions/overview.md)
+
+To leverage data collected with the add-on, you can do the following in Auditor:
+
+- Search for required data. For that, start Auditor client and navigate to **Search**. After
+ specifying the criteria you need, click **Search**. You will get a list of activity records with
+ detailed information on who did what in the reported time period.
+
+You can apply a filter to narrow down your search results to the Netwrix **API** data source only.
+
+
+
+- Also, you can click **Tools** in the upper-right corner and select the command you need. For
+ example:
+ - If you want to periodically receive the report on the results of search with the specified
+ criteria, click **Subscribe**. Then specify how you want the report to be delivered – as an
+ email or as a file stored to the file share.
+ - To create an alert on the specific occurrences, click **Create alert**.
+ - To export filtered data to PDF or CSV, click **Export data**.
+- You can also configure and receive alerts on the events you are interested in.
+
+See the following topics for additional information:
+
+- [Alerts](/docs/auditor/10.8/admin/alertsettings/overview.md)
+- [View and Search Collected Data](/docs/auditor/10.8/admin/search/overview.md)
+- [Subscriptions](/docs/auditor/10.8/admin/subscriptions/overview.md)
diff --git a/docs/auditor/10.8/addon/ctera/install.md b/docs/auditor/10.8/addon/ctera/install.md
new file mode 100644
index 0000000000..955178db1f
--- /dev/null
+++ b/docs/auditor/10.8/addon/ctera/install.md
@@ -0,0 +1,24 @@
+---
+title: "Install Add-On"
+description: "Install Add-On"
+sidebar_position: 10
+---
+
+# Install Add-On
+
+Follow the steps to install the Add-On:
+
+**Step 1 –** Navigate to your add-on package.
+
+**Step 2 –** Unzip the Add-On to a desired folder.
+
+**Step 3 –** Run the installation package.
+
+**Step 4 –** Accept the license agreement and follow the instructions of the setup wizard.
+
+**Step 5 –** On the **Destination Folder** step, specify the installation folder (_C:\Program Files
+(x86)\Netwrix Add-ons\_ by default).
+
+**Step 6 –** Click **Install**.
+
+**Step 7 –** When done, click **Finish**.
diff --git a/docs/auditor/10.8/addon/ctera/overview.md b/docs/auditor/10.8/addon/ctera/overview.md
new file mode 100644
index 0000000000..5c04e552b0
--- /dev/null
+++ b/docs/auditor/10.8/addon/ctera/overview.md
@@ -0,0 +1,63 @@
+---
+title: "Ctera"
+description: "Ctera"
+sidebar_position: 60
+---
+
+# Ctera
+
+The add-on works in collaboration with Netwrix Auditor, supplying data about activity on your
+Ctera-based devices. Aggregating data into a single audit trail simplifies analysis, makes activity
+monitoring more cost effective, and helps you keep tabs on your IT infrastructure.
+
+Implemented as a service, this add-on facilitates the data transition from Ctera-based systems to
+Netwrix Auditor. All you have to do is provide connection details and specify parsing rules.
+
+On a high level, the add-on works as follows:
+
+1. The add-on listens to the specified UDP ports and captures designated Syslog messages.
+2. The add-on processes these events into Netwrix Auditor-compatible format (Activity Records). Each
+ Activity Record contains the user account, action, time, and other details.
+3. Using the Integration API, the add-on sends the activity records to the Netwrix Auditor Server,
+ which writes them to the Long-Term Archive and the Audit Database.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Integration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| The Auditor Server side | - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the add-on will be installed | - The UDP 514 port is open for inbound connections. - .Net Framework 4.7.2 and above is installed. Review the following Microsoft technical article for additional information on how to install .Net Framework 4.7.2: [Microsoft .NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2). |
+
+### Configure Logging for CTERA Edge Filer
+
+Prior to start using the Add-On, configure syslog logging settings on your CTERA Edge Filers. See
+the
+[Configuring Syslog Settings](https://kb.ctera.com/docs/configuring-logging#configuring-syslog-settings)
+article on the CTERA product documentation portal for detailed instructions.
+
+### Accounts and Rights
+
+By default, the add-on will run under the _Local System_ account. The add-on and Auditor must be
+installed on the same server.
+
+### Considerations and Limitations
+
+- The Add-On must be deployed in the same subnet as CTERA Edge Filer and Auditor.
+- If the monitoring plan name in the _``_ add-on configuration parameter is
+ specified incorrectly, this may lead to temp files generation and, therefore, to inefficient disk
+ space usage.
+- If you are using Netwrix Auditor for Network Devices, the 514 UDP port may be already in use, and
+ you should specify another port when configuring the add-on settings (see the
+ [Install Add-On](/docs/auditor/10.8/addon/ctera/install.md) and [Define Parameters](/docs/auditor/10.8/addon/ctera/parameters.md) topics for additional
+ information). Another option is to install the add-on and Auditor Server on different machines.
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
diff --git a/docs/auditor/10.8/addon/ctera/parameters.md b/docs/auditor/10.8/addon/ctera/parameters.md
new file mode 100644
index 0000000000..e142f66165
--- /dev/null
+++ b/docs/auditor/10.8/addon/ctera/parameters.md
@@ -0,0 +1,30 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 20
+---
+
+# Define Parameters
+
+The configuration wizard opens in the default web browser:
+
+
+
+Click **Proceed** and complete the following fields:
+
+| Option | Description |
+| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Specify General Settings | |
+| Listed UDP port | Specify UDP port for listening incoming events. (**514** by default). |
+| Auditor Endpoint | Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hostingAuditor Server and uses default port _9699_. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15_, _EnterpriseNAServer_, _WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.ent erprise.local:9999_). Do not modify the endpoint part (_/ netwrix/ api_ ) |
+| Certificate Thumbprint | Netwrix Auditor Certificate Thumbprint Property. Possible values: - `Empty`—Check Auditor certificate via Windows Certificate Store. - `AB:BB:CC`—Check Auditor Server certificate thumbprint identifier. - `NOCHECK`—Do not check Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
+| Specify Active Directory credentials | |
+| Username | Provide the name of the account under which the service runs. Unless specified, the service runs under the account currently logged on. |
+| Password | Provide the password for the selected account. |
+| Auditor Monitoring Plan settings | |
+| Auditor Plan | Unless specified, data is written to **Netwrix_Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add- on, make sure a dedicated plan is created in Auditor, the Netwrix **API** data source is added to the plan and enabled for monitoring. Otherwise, the add- on will not be able to write data to the Audit Database. |
+| Auditor Plan Item | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item inAuditor in advance. |
+| Accept List | |
+| Address | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. |
+
+Click **Run** to start collecting data with the Add-On.
diff --git a/docs/auditor/10.8/addon/cyberark/_category_.json b/docs/auditor/10.8/addon/cyberark/_category_.json
new file mode 100644
index 0000000000..292dd70ee9
--- /dev/null
+++ b/docs/auditor/10.8/addon/cyberark/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "CyberArk Privileged Access Security",
+ "position": 80,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/cyberark/collecteddata.md b/docs/auditor/10.8/addon/cyberark/collecteddata.md
new file mode 100644
index 0000000000..0da803a426
--- /dev/null
+++ b/docs/auditor/10.8/addon/cyberark/collecteddata.md
@@ -0,0 +1,32 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 30
+---
+
+# Work with Collected Data
+
+To leverage data collected with the add-on, you can do the following in Auditor:
+
+- Search for required data. For that, start Auditor client and navigate to **Search**. After
+ specifying the criteria you need, click **Search**. You will get a list of activity records with
+ detailed information on who did what in the reported time period.
+
+You can apply a filter to narrow down your search results to the Netwrix **API** data source only.
+
+
+
+- Also, you can click **Tools** in the upper-right corner and select the command you need. For
+ example:
+ - If you want to periodically receive the report on the results of search with the specified
+ criteria, click **Subscribe**. Then specify how you want the report to be delivered – as an
+ email or as a file stored to the file share.
+ - To create an alert on the specific occurrences, click **Create alert**.
+ - To export filtered data to PDF or CSV, click **Export data**.
+- You can also configure and receive alerts on the events you are interested in.
+
+See the following topics for additional information:
+
+- [Alerts](/docs/auditor/10.8/admin/alertsettings/overview.md)
+- [View and Search Collected Data](/docs/auditor/10.8/admin/search/overview.md)
+- [Subscriptions](/docs/auditor/10.8/admin/subscriptions/overview.md)
diff --git a/docs/auditor/10.8/addon/cyberark/deployment.md b/docs/auditor/10.8/addon/cyberark/deployment.md
new file mode 100644
index 0000000000..a47adcc1e5
--- /dev/null
+++ b/docs/auditor/10.8/addon/cyberark/deployment.md
@@ -0,0 +1,126 @@
+---
+title: "Deploy the Add-On"
+description: "Deploy the Add-On"
+sidebar_position: 20
+---
+
+# Deploy the Add-On
+
+Follow the steps to deploy the Add-On:
+
+**Step 1 –** Prepare Auditorfor data processing.
+
+**Step 2 –** Configure Syslog message forwarding in CyberArk.
+
+**Step 3 –** Download the Add-On.
+
+**Step 4 –** Install Add-on.
+
+**Step 5 –** Configure Add-on parameters
+
+## Prepare Auditor for Data Processing
+
+In Auditor client, go to the Integrations section and verify Integration API settings:
+
+1. Make sure the **Leverage Integration API** is switched to **ON**.
+2. Check the TCP communication port number – default is **9699**.
+
+See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) topic for additional information.
+
+By default, activity records are written to _Netwrix_Auditor_API_ database which is not associated
+with a specific monitoring plan.
+
+Optionally, you can create a dedicated monitoring plan in Auditor. In this case, data will be
+written to a database linked to this plan. Target it at Netwrix API data source and enable for
+monitoring. Add a dedicated item of _Integration_ type to the plan for data to be filtered by item
+name. See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information.
+
+In such scenario, you will need to specify this monitoring plan in the _naplan_ and _naplanitem_
+attributes of the _`` ® ``_ configuration parameters. See the
+[Add-On Parameters](/docs/auditor/10.8/addon/cyberark/parameters.md) topic for additional information.
+
+## Configure Syslog Message Forwarding in CyberArk
+
+On the CyberArk side, you need to specify the server that will receive Syslog messages from
+CyberArk, process them and forward to Auditor Server. This will be the add-on installation server
+(the machine where _SyslogService.exe_ runs).
+
+Follow the steps to configure Syslog message forwarding in CyberArk.
+
+**Step 1 –** Log in to your CyberArk system.
+
+**Step 2 –** On the CyberArk server, locate the _%Program Files (x86)%\PrivateArk\Server\Conf_
+folder and open the **dbparam.ini** file for editing.
+
+**Step 3 –** Go to the **[SYSLOG]** section and configure the following parameters:
+
+- **SyslogTranslatorFile** – relative path to **Netwrix.xsl** file. You will need to create this
+ file manually and copy the content of **SyslogTranslator.sample.xsl** file into it. This sample
+ file is provided by CyberArk. By default, it is located in the _%Program Files (x86)
+ %\PrivateArk\Server\Syslog_ folder.
+ Place the _Netwrix.xsl_ file there, too, so that default relative path should be _\Server\Syslog_.
+- **SyslogServerPort** – communication port of the syslog server (i.e. add-on installation server).
+ Default is **514**. Note that if you are using Netwrix Auditor for Network Devices, this port may
+ be already in use, and you should provide another one.
+- **SyslogServerIP** - IP address of the add-on installation server.
+- SyslogServerProtocol – communication protocol for data transfer between CyberArk system and the
+ add-on. Specify **UDP** protocol.
+- **SyslogMessageCodeFilter** - IDs of events to forward. The add-on will only collect and process
+ events you specify in this parameter. For the full list of supported events, see
+ [Monitored Events](/docs/auditor/10.8/addon/cyberark/monitoredevents.md). Use comma as a separator.
+
+
+
+**Step 4 –** Save the **dbparam.ini** file.
+
+## Download the Add-On
+
+**Step 1 –** Download the distribution package **Netwrix_Auditor_Add-on_for_CyberArk_PAS.zip**.
+
+**Step 2 –** Unpack it to a folder on the computer where you plan to deploy the add-on.
+
+_Remember,_ deploy the add-on on the same machine with the Auditor Server.
+
+## Install Add-On
+
+Follow the steps to install the Add-On:
+
+**Step 3 –** Navigate to your add-on package.
+
+**Step 4 –** Unzip the Add-On to a desired folder.
+
+**Step 5 –** Run the installation package.
+
+**Step 6 –** Accept the license agreement and follow the instructions of the setup wizard.
+
+**Step 7 –** On the **Destination Folder** step, specify the installation folder (_C:\Program Files
+(x86)\Netwrix Add-ons\_ by default).
+
+**Step 8 –** Click **Install**.
+
+**Step 9 –** When done, click **Finish**.
+
+## Configure Add-on Parameters
+
+The configuration wizard opens in the default web browser:
+
+
+
+Click **Proceed** and complete the following fields:
+
+| Option | Description |
+| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Specify General Settings | |
+| Listed UDP port | Specify UDP port for listening incoming events. (**514** by default). |
+| Auditor Endpoint | Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hostingAuditor Server and uses default port _9699_. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15_, _EnterpriseNAServer_, _WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.ent erprise.local:9999_). Do not modify the endpoint part (_/ netwrix/ api_ ) |
+| Certificate Thumbprint | Netwrix Auditor Certificate Thumbprint Property. Possible values: - `Empty`—Check Auditor certificate via Windows Certificate Store. - `AB:BB:CC`—Check Auditor Server certificate thumbprint identifier. - `NOCHECK`—Do not check Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
+| Specify Active Directory credentials | |
+| Username | Provide the name of the account under which the service runs. Unless specified, the service runs under the account currently logged on. |
+| Password | Provide the password for the selected account. |
+| Auditor Monitoring Plan settings | |
+| Auditor Plan | Unless specified, data is written to **Netwrix_Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add- on, make sure a dedicated plan is created in Auditor, the Netwrix **API** data source is added to the plan and enabled for monitoring. Otherwise, the add- on will not be able to write data to the Audit Database. |
+| Auditor Plan Item | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item inAuditor in advance. |
+| Accept List | |
+| Address | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. |
+
+Click **Run** to start collecting data with the Add-On.
diff --git a/docs/auditor/10.8/addon/cyberark/monitoredevents.md b/docs/auditor/10.8/addon/cyberark/monitoredevents.md
new file mode 100644
index 0000000000..15b5b05934
--- /dev/null
+++ b/docs/auditor/10.8/addon/cyberark/monitoredevents.md
@@ -0,0 +1,24 @@
+---
+title: "Monitored Events"
+description: "Monitored Events"
+sidebar_position: 40
+---
+
+# Monitored Events
+
+The Add-On supports monitoring of the following syslog events from CyberArk PAS:
+
+| Event ID | Description |
+| -------- | ---------------------------------------------------------------------------------------- |
+| 22 | Password verification by Central Policy Manager (success) |
+| 24 | Password stored in EPV changed by Central Policy Manager (success) |
+| 31 | Password reconciliation by Central Policy Manager (success) |
+| 38 | Password verification by Central Policy Manager (failure) |
+| 57 | Password stored in Enterprise Password Vault changed by Central Policy Manager (failure) |
+| 60 | Password reconciliation by Central Policy Manager (failure) |
+| 130 | Password stored in Enterprise Password Vault disabled by Central Policy Manager |
+| 295 | User retrieved a password stored in Enterprise Password Vault |
+| 300 | User session started in Privileged Session Manager |
+| 302 | User session ended in Privileged Session Manager |
+| 308 | User used a password stored in Enterprise Password Vault |
+| 411 | A window was activated by user in Privileged Session Manager |
diff --git a/docs/auditor/10.8/addon/cyberark/overview.md b/docs/auditor/10.8/addon/cyberark/overview.md
new file mode 100644
index 0000000000..cbd907f410
--- /dev/null
+++ b/docs/auditor/10.8/addon/cyberark/overview.md
@@ -0,0 +1,114 @@
+---
+title: "CyberArk Privileged Access Security"
+description: "CyberArk Privileged Access Security"
+sidebar_position: 80
+---
+
+# CyberArk Privileged Access Security
+
+Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables
+control over changes, configurations and access in hybrid IT environments to protect data regardless
+of its location. The platform provides security analytics to detect anomalies in user behavior and
+investigate threat patterns before a data breach occurs.
+
+CyberArk offers its Privileged Access Security (PAS) solution for managing the privileged accounts
+and SSH Keys. It enables organizations to manage and monitor all activities associated with the
+privileged identities, for example, Windows server administrator, root on a UNIX server, etc. A
+featured set of the Privileged Access Security tools includes, in particular:
+
+- **Privileged Session Manager** - a tool that enables users to securely connect to remote targets
+ with a standard remote desktop client application, providing isolated sessions.
+- **Enterprise Password Vault** – a tool for storage and centralized management of the privileged
+ accounts; it supports automated changes and logging of the activities associated with all types of
+ privileged passwords and SSH Keys. This tool also includes Central Policy Manager service.
+
+Major benefit of the integrated solution implemented with the Add-On is the increased visibility
+into actions related to CyberArk tools, in particular:
+
+- Visibility into the user account behind the respective isolated session controlled by Privileged
+ Session Manager
+- Visibility into the password-related activities, e.g. password retrieval and further actions made
+ to target application or system, and automatic password update for managed accounts in Enterprise
+ Password Vault and Central Policy Manager.
+
+## How It Works
+
+The add-on is implemented as a syslog service that collects activity data from CyberArk system (PAS)
+and sends it to Auditor using the Integration API.
+
+
+
+The add-on operates as a syslog listener for the CyberArk system. On a high level, the solution
+works as follows:
+
+1. An IT administrator configures Integration API settings to enable data collection and storage to
+ the Audit Databasefor further reporting, search, etc.
+
+ It is recommended to create a dedicated monitoring plan in Auditor and add a dedicated item of
+ **Integration** type to it — then you will be able to filter data in reports and search results
+ by monitoring plan/item name.
+
+2. On the CyberArk server, the administrator opens the **dbparam.ini** file and specifies the
+ parameters for syslog message forwarding, including add-on installation server settings, the IDs
+ of events to be monitored, etc.
+
+ See the [Monitored Events](/docs/auditor/10.8/addon/cyberark/monitoredevents.md) topic for additional information on the events
+ supported for monitoring out of the box.
+
+3. On the add-on installation server, the administrator runs the installation file and configures
+ the Add-On parameters in the configuration wizard.
+4. The add-on starts collecting and forwarding activity data: it listens to the specified UDP port
+ and captures designated syslog messages (CyberArk events).
+5. The add-on processes these events into Auditor-compatible format – activity records. Each
+ activity record contains the _Who-What-When-Where-Action_ information (that is, user account,
+ time, action, and other details).
+6. Using the Integration API, the add-on sends the activity records to Auditor Server that writes
+ them to the Audit Database and Long-Term Archive. Data is sent periodically, by default every 5
+ seconds.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the activity record and the capabilities of the Integration API.
+
+7. Users open Auditor Client to work with collected data:
+ - Search for file changes using certain criteria
+ - Export data to PDF or CSV files
+ - Save search results as reports
+ - Subscribe to search results
+ - Configure and receive alerts
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| Where | Prerequisite to check |
+| ------------------------------------------------------------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor Server side | - The Integration API and Audit Database settings are configured in Auditor Server settings. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The **TCP 9699** port must be open on Windows firewall for inbound connections. - User account under which data will be written to the Audit Database requires the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) for additional information. Alternatively, you can grant it the **Global administrator** role, or add that account to the **Netwrix Auditor Administrators** group. |
+| The machine where the Add-On will be installed (Auditor Server is recommended) | - The **UDP 514** port must be open on Windows firewall for inbound connections. If you are using Netwrix Auditor for Network Devices, this port may be already in use, and you should provide another one. Another option is to install the add-on and Auditor Server on different machines. - .Net Framework 4.7.2 and above is installed. Review the following Microsoft technical article for additional information on how to install .Net Framework 4.7.2: [Microsoft .NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2). |
+| CyperArk PAS | Version 10.10. |
+
+### Accounts and Rights
+
+By default, the add-on will run under the _Local System_ account. So, if the add-on and Auditor will
+be running on different machines, the corresponding computer account will require at least the
+**Contributor** role in Auditor. See the
+[Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional
+information.
+
+In case the add-on and Auditor are installed on the same server, no special settings are needed.
+
+### Considerations and Limitations
+
+- The Add-On must be deployed in the same subnet as CyberArk PAS and Auditor.
+- If the monitoring plan name in the _``_ add-on configuration parameter is
+ specified incorrectly, this may lead to temp files generation and, therefore, to inefficient disk
+ space usage.
+- If you are using Netwrix Auditor for Network Devices, the 514 UDP port may be already in use, and
+ you should specify another port when configuring the add-on settings (see
+ [Deploy the Add-On](/docs/auditor/10.8/addon/cyberark/deployment.md) and [Add-On Parameters](/docs/auditor/10.8/addon/cyberark/parameters.md) topics for additional
+ information). Another option is to install the add-on and Auditor Server on different machines.
+
+## Compatibility Notice
+
+Netwrix Auditor add-on for CyberArk is compatible with CyberArk Privileged Access Security (PAS)
+10.10 and with Netwrix Auditor 9.8 and later.
diff --git a/docs/auditor/10.8/addon/cyberark/parameters.md b/docs/auditor/10.8/addon/cyberark/parameters.md
new file mode 100644
index 0000000000..6a5e5bbea7
--- /dev/null
+++ b/docs/auditor/10.8/addon/cyberark/parameters.md
@@ -0,0 +1,61 @@
+---
+title: "Add-On Parameters"
+description: "Add-On Parameters"
+sidebar_position: 10
+---
+
+# Add-On Parameters
+
+To configure the add-on parameters, you need to edit the **Settings.xml** file in the add-on folder.
+You must define connection details: Auditor Server host, endpoint, etc.
+
+Most parameters are optional; you can skip or define parameters depending on your execution scenario
+and security policies.
+
+The service uses the default values unless parameters are explicitly defined
+(`\*\*\_value_\*\*`).
+
+Parameters in **Settings.xml** can be grouped as follows:
+
+- **General parameters** that affect add- on execution. They are listed in the table below.
+- Settings for a certain event source (within the _Source_ section) that can override general
+ settings.
+- **Internal parameters** that should not be modified in most cases. They are listed in the topic.
+
+| Parameter | Default value | Description |
+| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General parameters | | |
+| ListenUdpPort | 514 | Specify UDP port for listening to the incoming syslog events. |
+| NetwrixAuditorEndpoint | https://localhost: 9699/netwrix/api/ v1/activity_records | Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hosting Auditor Server and uses default port **9699**. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15, EnterpriseNAServer, WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.enterprise.local:9999_). Do not modify the endpoint part (/netwrix/api . . . . ) |
+| NetwrixAuditor CertificateThumbprint | NOCHECK | Netwrix Auditor Certificate Thumbprint Property. Possible values: - `Empty`—Check the certificate via Windows Certificate Store. - `AB:BB:CC.`—Check the certificate thumbprint identifier. - `NOCHECK`—Do not check the certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
+| NetwrixAuditorPlan | — | Unless specified, data is written to Netwrix_Auditor_API database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add-on, make sure a dedicated plan is created in Auditor, the Netwrix API data source is added to the plan and enabled for monitoring. Otherwise, the add-on will not be able to write data to the Audit Database. |
+| NetwrixAuditorPlanItem | — | Unless specified, data is not associated with a specific monitoring plan and thus cannot be filtered by item name. Specify an item name here. Make sure to create a dedicated item in Auditor in advance. |
+| EventStorePath | — | Select where to store temporary files of syslog messages before the add-on sends them to Auditor Server. Netwrix recommends to store these files in the same directory with the add-on (SyslogService.exe). |
+| LogLevel | warning | Specify logging level: - none - info - warning (used by default) - error - debug |
+| WriteCriticalIssues ToEventLog | 0 | Instructs the add-on to write important events (like service start or critical issue) not only to its own log but also to Netwrix event log. - 1=yes - 0=no (default) |
+| Parameters within SourceList You can specify parsing rules for each specific event source and define parameters to override general settings, such as time zone, default plan name, etc. | | |
+| NetwrixAuditorPlan | — | When specified, overrides the general settings. |
+| NetwrixAuditorPlanItem | — | When specified, overrides the general settings. |
+| AppNameRegExp | — | Custom regular expression pattern that will be used to retrieve the application name from your syslog messages. The add-on will match the application name and the files with syslog parsing rules to be applied. The pattern you provide here must match the application name in your custom rule file. Unless specified, RFC 3164/5424 format is used. |
+| AppNameGroupID | — | Define application name value by Group ID only if messages are not formatted in accordance with RFC 3164/5424. Otherwise, leave the default value. |
+| RuleFileList PathFile | cyberark-v2.xml | Specify paths to XML file(s) with regular expression parsing rules. You can create a custom file or use rules provided out of the box. Currently, the **cyberark-v2.xml** rule file is shipped with this add-on. You can specify several rule files. The service will check if the AppName parameter in the first rule file matches the AppNameRegExp and AppNameGroupID regular expression in this file. If not, the service will proceed to the next rule file. |
+| AcceptList Address | — | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. The _Address_ parameter may be followed by optional attributes that override parameters specified above: - _naplan_—A name of associated monitoring plan - _naplanitem_—A name of associated item For example: `172.28.3.15 ` |
+
+Remember to save **Settings.xml** after editing is complete.
+
+After you modify parameters in the **Settings.xml** file, remember to save the changes and then
+restart the add-on main service (_SyslogService.exe_) for them to take effect.
+
+## Add-on Internal Parameters
+
+Internal parameters listed in the table below are intended for performance tuning. In most cases the
+default values should be used.
+
+| Parameter | Default value | Description |
+| --------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| EventsFromMemoryFirst | 1 | Instructs the add-on to save events to temporary storage only if there is no free space in queues: - 1=yes - 0=no |
+| ConcurrentSend | -1 | Specifies the number of threads for concurrent forwarding of events to Auditor. Default value is -1 (switch off concurrent forwarding). |
+| SenderSleepTime | 30 | Specifies the retry interval in seconds to send messages to Auditor (30 - 3600 seconds). |
+| TaskLimit | 8 | Specifies the number of threads and queues for concurrent handling of events. |
+| QueueSizeLimit | 100 | Specifies the maximum number of events to keep in queue before saving to temporary storage or sending to Netwrix API. |
+| QueueTimeLimit | 5 | Specifies the length of timeout before events from queue (not full) are saved to temporary storage or sent to Netwrix API: - From 5 to 300 – timeout in seconds. - -1 – disable timeout. |
diff --git a/docs/auditor/10.8/addon/cyberark/troubleshooting.md b/docs/auditor/10.8/addon/cyberark/troubleshooting.md
new file mode 100644
index 0000000000..6eaa4878b7
--- /dev/null
+++ b/docs/auditor/10.8/addon/cyberark/troubleshooting.md
@@ -0,0 +1,24 @@
+---
+title: "Maintenance and Troubleshooting"
+description: "Maintenance and Troubleshooting"
+sidebar_position: 50
+---
+
+# Maintenance and Troubleshooting
+
+The Add-On operations are logged into the **SyslogService.txt** file. This file is located in the
+same folder as **SyslogService.exe.**
+
+To change the add-on logging level, use the **LogLevel** parameter in the **Settings.xml** file.
+
+- It is recommended that before the first run you set this parameter to `debug`. This will
+ facilitate operations tracking and possible problem solving.
+- After that it is strongly recommended to re-set this parameter to `error` to prevent the
+ uncontrolled log growth.
+
+If you cannot see collected data in Auditor, check the following:
+
+1. In Auditor settings, go to the **Integrations** section and make sure the **Leverage Integration
+ API** is switched to **ON**. Check the communication port number – default is **9699**.
+2. If you configured a dedicated monitoring plan, make sure data source monitoring is enabled.
+3. Verify the parameters you provided in **Settings.xml** and **dbparam.ini**.
diff --git a/docs/auditor/10.8/addon/hyperv/_category_.json b/docs/auditor/10.8/addon/hyperv/_category_.json
new file mode 100644
index 0000000000..132f5e796d
--- /dev/null
+++ b/docs/auditor/10.8/addon/hyperv/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Hyper-V SCVMM",
+ "position": 90,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/hyperv/collecteddata.md b/docs/auditor/10.8/addon/hyperv/collecteddata.md
new file mode 100644
index 0000000000..d73336668b
--- /dev/null
+++ b/docs/auditor/10.8/addon/hyperv/collecteddata.md
@@ -0,0 +1,26 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 40
+---
+
+# Work with Collected Data
+
+To leverage data collected with the add-on, you can do the following in Auditor:
+
+- Search for required data. For that, start Auditor client and navigate to **Search**. After
+ specifying the criteria you need, click **Search**. You will get a list of activity records with
+ detailed information on who did what in the reported time period.
+
+You might want to apply a filter to narrow down your search results to the Netwrix API data source
+only.
+
+- Also, you can click **Tools** in the upper-right corner and select the command you need. For
+ example:
+ - If you want to periodically receive the report on the results of search with the specified
+ criteria, click **Subscribe**. Then specify how you want the report to be delivered – as an
+ email or as a file stored to the file share.
+ - To create an alert on the specific occurrences, click **Create alert**.
+ - To export filtered data to PDF or CSV, click **Export data**.
+- You can also configure and receive alerts on the events you are interested in. See the
+ [Administration](/docs/auditor/10.8/admin/overview.md) topic for additional information.
diff --git a/docs/auditor/10.8/addon/hyperv/deployment.md b/docs/auditor/10.8/addon/hyperv/deployment.md
new file mode 100644
index 0000000000..a2402e0952
--- /dev/null
+++ b/docs/auditor/10.8/addon/hyperv/deployment.md
@@ -0,0 +1,100 @@
+---
+title: "Deployment Scenarios"
+description: "Deployment Scenarios"
+sidebar_position: 20
+---
+
+# Deployment Scenarios
+
+The add-on can be deployed on any computer in your environment. For example, you can run the add-on
+on the computer where Auditor is installed, or on a remote server. Also, consider different SCVMM
+deployment scenarios. Possible deployment options are as follows (here it is assumed that the add-on
+is installed together with Auditor server):
+
+1. Add-on running on the same machine as SCVMM server (with Management Console):
+
+
+
+2. Add-on and SCVMM server (with Management Console) running on different machines:
+
+
+
+In this scenario, the account used to access SCVMM server must be a member of the _Remote Management
+Users_ local group on the SCVMM server.
+
+3. Add-on running on the same machine as SCVMM Management Console; SCVMM server running on the
+ remote machine:
+
+
+
+In this scenario, make sure to specify SCVMM server address in the **DataCollectionServer**
+parameter (not the machine where SCVMM console runs) in the **settings.xml** configuration file. See
+the [Add-On Parameters](/docs/auditor/10.8/addon/hyperv/parameters.md)topic for additional information.
+
+Depending on the deployment scenario you choose, you will need to define a set of the add-on
+parameters. Several examples are provided below.
+
+In the certain scenarios you may need to configure not all parameters but only some of them.
+
+## Example 1
+
+- The add-on runs on the Auditor server.
+- The _System_ account is used to launch the add-on via Task Scheduler (default configuration).
+- Configuration parameters to specify in **settings.xml** (sample values):
+
+````
+https://172.28.6.19:9699/netwrix/api/v1/activity_records```
+
+``````
+
+``````
+
+Configuration parameters __NetwrixAuditorUserName__ and __NetrixAuditorPassword__ are not required.
+
+## Example 2
+
+- The add-on runs on the Auditor server with the explicitly specified user credentials.
+- Configuration parameters to specify in __settings.xml__ (sample values):
+
+ ```
+ https://172.28.6.19:9699/netwrix/api/v1/activity_records```
+
+ ```SecurityOfficer```
+ ``````
+
+ ```NetwrixUser```
+ ``````
+
+## Example 3
+
+- The add-on runs on the machine with SCVMM.
+- The _System_ account is used to launch the add-on via Task Scheduler (default configuration).
+- Configuration parameters to specify in __settings.xml__:
+
+```
+````
+
+``
+
+``
+
+Credentials for **Data Collection Server** (that is, SCVMM) are not required.
+
+## Example 4
+
+- SCVMM and/or Auditor run on the machines other than the add-on server.
+- In this case, the corresponding set of credentials (for **Data Collection Server** and/or Netwrix
+ Auditor) must be specified explicitly.
+- Configuration parameters to specify in **settings.xml** (sample values):
+
+ `https://172.28.6.19:9699/netwrix/api/v1/activity_records `
+
+`SecurityOfficer`
+
+`NetwrixUser`
+
+`SCVMMServer`
+
+`SCVMMAdmin`
+
+`Password`
diff --git a/docs/auditor/10.8/addon/hyperv/install.md b/docs/auditor/10.8/addon/hyperv/install.md
new file mode 100644
index 0000000000..0eca8aa257
--- /dev/null
+++ b/docs/auditor/10.8/addon/hyperv/install.md
@@ -0,0 +1,68 @@
+---
+title: "Deploy the Add-On"
+description: "Deploy the Add-On"
+sidebar_position: 30
+---
+
+# Deploy the Add-On
+
+Follow the step to deploy the Add-On:
+
+**Step 1 –** Prepare Netwrix Auditor for Data Processing.
+
+**Step 2 –** Download the Add-On.
+
+**Step 3 –** Configure Parameters for Data Collection.
+
+**Step 4 –** Register Windows Scheduled Task.
+
+## Prepare Netwrix Auditor for Data Processing
+
+In Auditor client, go to the Integrations section and verify Integration API settings:
+
+1. Make sure the **Leverage Integration API** is switched to **ON**.
+2. Check the TCP communication port number – default is **9699**.
+
+See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) topic for additional information.
+
+By default, activity records are written to _Netwrix_Auditor_API_ database which is not associated
+with a specific monitoring plan.
+
+Optionally, you can create a dedicated monitoring plan in Auditor. In this case, data will be
+written to a database linked to this plan. Target it at Netwrix API data source and enable for
+monitoring. Add a dedicated item of _Integration_ type to the plan for data to be filtered by item
+name. See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information.
+
+In such scenario, you will need to specify this monitoring plan in the _NetwrixAuditorPlan_ and
+_NetwrixAuditorPlanItem_ parameters in the **settings.xml** file. See the
+[Add-On Parameters](/docs/auditor/10.8/addon/hyperv/parameters.md) topic for additional information.
+
+## Download the Add-On
+
+1. Download the distribution package **Netwrix_Auditor_Add-on_for_Microsoft_SCVMM.zip**.
+2. Unpack it to a folder on the computer where you plan to deploy the add-on.
+
+## Configure Parameters for Data Collection
+
+In the add-on folder, open the **settings.xml** file and configure the add-on parameters for data
+collection, as listed below.
+
+See the [Add-On Parameters](/docs/auditor/10.8/addon/hyperv/parameters.md)topic for the full list of configuration parameters.
+
+| Parameter | Default value | Description |
+| ---------------------- | ------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| DataCollectionServer | (empty) | Specify SCVMM server to collect data from. You can use IP address, FQDN or NETBIOS name. For _localhost_, leave this parameter empty. |
+| DataCollectionUserName | (empty) | Specify user account that will be used for data collection from SCVMM server. To use the account currently logged in, leave this parameter empty.s Make sure the account has administrative rights on that server (see the [Accounts and Rights](overview.md#accounts-and-rights) topic for additional information). |
+| DataCollectionPassword | | Specify user account password. |
+| ShortTermFolder | ShortTerm | Specify path to the short-term archive (Netwrix Auditor working folder). You can use full or relative path. |
+
+Save the **settings.xml** file. New configuration settings will be applied automatically at the next
+data collection.
+
+For the full list of parameters, see the [Add-On Parameters](/docs/auditor/10.8/addon/hyperv/parameters.md) topic for additional
+information.
+
+## Register Windows Scheduled Task
+
+Run the **install.ps1** PowerShell script from the add-on folder. It will configure and register a
+Windows scheduled task that will run periodically every 15 min to retrieve audit data from SCVMM.
diff --git a/docs/auditor/10.8/addon/hyperv/monitoredevents.md b/docs/auditor/10.8/addon/hyperv/monitoredevents.md
new file mode 100644
index 0000000000..8613dac06a
--- /dev/null
+++ b/docs/auditor/10.8/addon/hyperv/monitoredevents.md
@@ -0,0 +1,19 @@
+---
+title: "Monitoring Scope"
+description: "Monitoring Scope"
+sidebar_position: 50
+---
+
+# Monitoring Scope
+
+Review a full list of the events that can be monitored using the add-on.
+
+| Object Type | Reported Action | Reported Properties |
+| ----------------- | ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Virtual Machine | • Create/Delete • Clone • Migrate • Rename • Create/Delete Checkpoint • Hardware Configuration change | • Name • Checkpoint Name & Description • Number Of Processors • Memory Size (Allocated, Max) • VHD Location, Max size • Network Name • Switch Name |
+| Hypervisor (Host) | • Create/Delete • Move • Hardware Configuration change • State change | • Name • Number Of Processors • RAM Memory Size • Host Disk Capacity |
+| Host Cluster | • Create/Delete • Move | • Name |
+| Host Group | • Create/Delete • Move • Rename | • Name |
+| Private Cloud | • Create/Delete • Rename | • Name |
+| VM Network | • Create/Delete • Rename | • Name |
+| User Role | • Rename • Add/Remove Members • Add/Remove Scopes • Permissions change | • Name • Scope • Permissions • Members |
diff --git a/docs/auditor/10.8/addon/hyperv/overview.md b/docs/auditor/10.8/addon/hyperv/overview.md
new file mode 100644
index 0000000000..9951c08fdd
--- /dev/null
+++ b/docs/auditor/10.8/addon/hyperv/overview.md
@@ -0,0 +1,125 @@
+---
+title: "Hyper-V SCVMM"
+description: "Hyper-V SCVMM"
+sidebar_position: 90
+---
+
+# Hyper-V SCVMM
+
+Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables
+control over changes, configurations and access in hybrid IT environments to protect data regardless
+of its location. The platform provides security analytic to detect anomalies in user behavior and
+investigate threat patterns before a data breach occurs.
+
+Microsoft System Center Virtual Machine Manager (SCVMM) is a solution for configuring and managing
+virtualized infrastructure components across on-premises, service provider, and the Azure cloud
+environment. These components include virtualization servers, networking components and storage
+resources.
+
+Virtualization teams, Managed Service Providers and other IT professionals need to detect who does
+what in the SCVMM-managed virtual infrastructure. For that, a unified audit trail is required,
+supporting detailed SCVMM monitoring and effective response to changes.
+
+For that purpose, you can use a specially designed add-on. It works in collaboration with Netwrix
+Auditor, supplying data about operations on your SCVMM server to Netwrix database. Aggregating data
+into a single audit trail simplifies the analysis, makes activity monitoring more cost-effective,
+and helps you keep tabs on your virtual infrastructure.
+
+Major benefits:
+
+- Gain a high-level view of the data you store
+- Detect unauthorized activity that might threaten your data
+
+## How It Works
+
+The add-on is implemented as a stand-alone application that collects activity data from Virtual
+Machine Manager and sends it to Auditor using the Integration API.
+
+
+
+On a high level, the solution works as follows:
+
+1. An IT administrator configures the Integration API settings to enable data collection and storage
+ to the Netwrix database for further reporting, search, etc.
+
+ It is recommended to create a dedicated monitoring plan in Auditor and add a dedicated item of
+ **Integration** type to it — then you will be able to filter data in reports and search results
+ by monitoring plan or item name.
+
+2. On SCVMM side, the IT administrator prepares a dedicated user account for accessing SCVMM server.
+ This account requires administrative rights.
+3. Then the IT administrator opens the settings.xml configuration file and specifies the necessary
+ parameters for add-on operation, including Netwrix Auditor server settings, etc.
+4. The IT administrator selects the deployment scenario and runs install.ps1 PowerShell script file
+ to deploy and configure the add-on components on the target server.
+5. This script creates a Windows scheduled task that will run periodically (every 15 minutes) to
+ collect audit data from VMM server.
+
+ See the [Monitoring Scope](/docs/auditor/10.8/addon/hyperv/monitoredevents.md) for additional information on the default list of
+ the events supported out-of-the box.
+
+6. The add-on component **HVARunner.exe** starts collecting activity data from VMM. Data
+ communication is performed using TCP protocol.
+7. The add-on processes this data into Auditor-compatible format (Activity Records). Each Activity
+ Record contains the Who-What-When-Where-Action information (that is, initiator's account, time,
+ action, and other details).
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Integration API.
+
+8. The add-on uses the Integration API to send the Activity Records to Auditor Server, where this
+ data becomes available for search, reporting and alerting.
+9. Users open Auditor Client to work with collected data:
+ - Search for file changes using certain criteria
+ - Export data to PDF or CSV files
+ - Save search results as reports
+ - Subscribe to search results
+ - Configure and receive alerts
+
+### Add-on Delivery Package
+
+The add-on delivery package is a ZIP archive comprising several files, including DLLs, configuration
+and executable files. The latter ones are listed in the table below.
+
+| File name | Description |
+| ----------------- | ------------------------------------------------------------------------------------------------------- |
+| install.ps1 | PowerShell script that installs the add-on components and creates a scheduled task for data collection. |
+| settings.xml | Contains parameters for the add-on service operation. |
+| **HVARunner.exe** | Main add-on component, responsible for audit data collection from SCVMM. |
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Auditor Server | - Integration API and Audit Database settings are configured in Auditor Server settings. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The **TCP 9699** port must be open on Windows firewall for inbound connections. - User account under which data will be written to the Audit Database requires the **Contributor** role in Netwrix Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant it the **Global administrator** role, or add that account to the **Netwrix Auditor Administrators** group. |
+| Add-on installation server, i.e. the machine where the add-on will be installed | - The **TCP 5985** port must be open on Windows firewall for inbound connections. - NET Framework 4.5 or later. |
+| Microsoft System Center Virtual Machine Manager | SCVMM versions: - 2019 - 2016 |
+| Virtualization hosts | - Microsoft Hyper-V (hardware and nested-virtualization) - VMware ESXi |
+
+### Accounts and Rights
+
+It is recommended to create a dedicated account for running the add-on.
+
+This account should have the following minimal rights and permissions:
+
+- **Administrator** role in SCVMM
+- **Contributor** role in Auditor. See the
+ [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional
+ information.
+
+### Considerations and Limitations
+
+- By default, the add-on is targeted at a single SCVMM server.
+
+- If Auditor Server becomes unavailable for some time, the add-on will reset the last data
+ collection and will run it anew during the next scheduled interval.
+
+## Compatibility Notice
+
+The add-on is compatible with:
+
+- Microsoft System Center Virtual Machine Manager 2019 and 2016
+- Netwrix Auditor 9.9 and later
diff --git a/docs/auditor/10.8/addon/hyperv/parameters.md b/docs/auditor/10.8/addon/hyperv/parameters.md
new file mode 100644
index 0000000000..bc678cb5fe
--- /dev/null
+++ b/docs/auditor/10.8/addon/hyperv/parameters.md
@@ -0,0 +1,32 @@
+---
+title: "Add-On Parameters"
+description: "Add-On Parameters"
+sidebar_position: 10
+---
+
+# Add-On Parameters
+
+To configure the add-on parameters, you need to edit the **settings.xml** file in the add-on folder.
+You must define connection details: Auditor Server host, user credentials, etc.
+
+Most parameters are optional, the service uses the default values unless parameters are explicitly
+defined (`\*\*\_value_\*\*`). You can skip or define parameters depending on
+your execution scenario and security policies.
+
+| Parameter | Default value | Description |
+| ------------------------------------ | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| NetwrixIntegration | | |
+| NetwrixAuditorEndpoint | https://localhost: 9699/netwrix/api/ v1/activity_records | Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hosting Auditor Server and uses default port **9699**. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15, EnterpriseNAServer, WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.enterprise.local:9999_). Do not modify the endpoint part (/netwrix/api . . . . ) |
+| NetwrixAuditor CertificateThumbprint | NOCHECK | Auditor Certificate Thumbprint Property. Possible values: - `AB:BB:CC.`—Check Auditor server certificate thumbprint identifier. - `NOCHECK`—Do not check Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
+| NetwrixAuditorDateTimeFormat | yyyy-MM-ddTHH:mm:ssZ | Auditor time format. By default, set to zero offset. |
+| NetwrixAuditorPlan | — | Unless specified, data is written to Netwrix_Auditor_API database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add-on, make sure a dedicated plan is created in Auditor, the Netwrix API data source is added to the plan and enabled for monitoring. Otherwise, the add-on will not be able to write data to the Audit Database. |
+| NetwrixAuditorPlanItem | — | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item in Auditor in advance. |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. The account must be assigned the Contributor role in Netwrix Auditor. |
+| NetwrixAuditorUserPassword | Current user credentials | Unless specified, the add-on runs with the current user credentials. Provide a different password if necessary. |
+| DataCollection | | |
+| DataCollectionServer | (empty) | Specify SCVMM server to collect data from. You can use IP address, FQDN or NETBIOS name. For localhost, leave this parameter empty. |
+| DataCollectionUserName | (empty) | Specify user account that will be used for data collection from SCVMM server. To use the account currently logged in, leave this parameter empty. Make sure the account has administrative rights on that server (see the [Accounts and Rights](overview.md#accounts-and-rights) topic for additional information). |
+| DataCollectionPassword | | Specify user account password. |
+| ShortTermFolder | ShortTerm | Specify path to the short-term archive (Netwrix Auditor working folder). You can use full or relative path. |
+
+Remember to save **settings.xml** after editing is complete.
diff --git a/docs/auditor/10.8/addon/hyperv/troubleshooting.md b/docs/auditor/10.8/addon/hyperv/troubleshooting.md
new file mode 100644
index 0000000000..767378249f
--- /dev/null
+++ b/docs/auditor/10.8/addon/hyperv/troubleshooting.md
@@ -0,0 +1,79 @@
+---
+title: "Maintenance and Troubleshooting"
+description: "Maintenance and Troubleshooting"
+sidebar_position: 60
+---
+
+# Maintenance and Troubleshooting
+
+If you cannot see collected data in Auditor, check the following:
+
+- Add-on account has sufficient rights to access SCVMM and Auditor.
+- In Netwrix Auditor settings, go to the **Integrations** section and make sure the **Leverage
+ Integration API** is switched to **ON**. Check the communication port number – default is
+ **9699**.
+- If you configured a dedicated monitoring plan, make sure data source monitoring is enabled.
+- Verify the parameters you provided in **settings.xml**.
+
+## Monitor Several SCVMM
+
+Follow the steps If you need to monitor more than one SCVMM:
+
+**Step 1 –** Deploy one more add-on instance to the server where the first add-on instance is
+already installed. Be sure to use a different installation folder.
+
+**Step 2 –** Open the **settings.xml** file and configure the new add-on instance to work with the
+second SCVMM server.
+
+**Step 3 –** Open the **install.ps1** file for the new add-on for edit.
+
+**Step 4 –** Modify the default scheduled task name:
+
+`$name = "NetwrixAuditor Add-on for Microsoft SCVMM"`
+
+**Step 5 –** Save and then launch the updated **install.ps1** file.
+
+## Modify Task Schedule
+
+Follow the steps if you need to modify the task schedule:
+
+**Step 1 –** Open **install.ps1** for edit.
+
+**Step 2 –** Modify the default scheduled task schedule:
+
+`$task.Triggers.Repetition.Interval = "PT15M"`
+
+**Step 3 –** Save and then launch the updated **install.ps1** file.
+
+Alternatively, you can use **Windows Task Scheduler**.
+
+- If the solution was deployed using the third scenario (that is, SCVMM server and add-on are
+ running on different machines), then the following error may be written in the solution log:
+
+The WinRM client cannot process the request.
+
+See the [Deployment Scenarios](/docs/auditor/10.8/addon/hyperv/deployment.md)topic for additional information.
+
+If the authentication scheme is different from Kerberos, or if the client computer is not joined to
+a domain, then HTTPS transport must be used or the destination machine must be added to the
+**TrustedHosts** list. To configure this list, use **winrm.cmd**.
+
+Computers included in the **TrustedHosts** list might not be authenticated. To get more information
+about their settings, you can run the following command:
+
+`winrm help config`
+
+For details on remote troubleshooting and authentication issues, see the following Microsoft
+article:
+[about_Remote_Troubleshooting](https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.core/about/about_remote_troubleshooting?view=powershell-6).
+
+To work around, add the remote SCVMM server to the **TrustedHosts** list on the machine were the
+add-on runs. For that, use the following commands:
+
+`winrm quickconfig`
+
+`Set-Item WSMan:\localhost\Client\TrustedHosts -Value "ServerNameOrIP"`
+
+here:
+
+`ServerNameOrIP` – SCVMM server name or IP address.
diff --git a/docs/auditor/10.8/addon/ibmqradar/_category_.json b/docs/auditor/10.8/addon/ibmqradar/_category_.json
new file mode 100644
index 0000000000..cff06a81f8
--- /dev/null
+++ b/docs/auditor/10.8/addon/ibmqradar/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "IBM QRadar",
+ "position": 100,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/ibmqradar/automate.md b/docs/auditor/10.8/addon/ibmqradar/automate.md
new file mode 100644
index 0000000000..2655f3682c
--- /dev/null
+++ b/docs/auditor/10.8/addon/ibmqradar/automate.md
@@ -0,0 +1,35 @@
+---
+title: "Automate Add-On Execution"
+description: "Automate Add-On Execution"
+sidebar_position: 40
+---
+
+# Automate Add-On Execution
+
+To ensure you feed the most recent data to your SIEM solution, Netwrix recommends scheduling a daily
+task for running the add-on.
+
+**Perform the following steps to create a scheduled task:**
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task Scheduler**.
+
+**Step 2 –** On the **General** tab, specify a task name. Make sure the account that runs the task
+has all necessary rights and permissions.
+
+**Step 3 –** On the **Triggers** tab, click **New** and define the schedule. This option controls
+how often audit data is exported from Auditor and saved to event log. Netwrixrecommends scheduling a
+daily task.
+
+**Step 4 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information:
+
+| Option | Value |
+| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Action | Set to "_Start a program_". |
+| Program/script | Input "_Powershell.exe_". |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix_Auditor_Add-on_for_IBM_QRadar.ps1" -NetwrixAuditorHost 172.28.6.15 |
+
+**Step 5 –** Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/ibmqradar/collecteddata.md b/docs/auditor/10.8/addon/ibmqradar/collecteddata.md
new file mode 100644
index 0000000000..6f1f0a7795
--- /dev/null
+++ b/docs/auditor/10.8/addon/ibmqradar/collecteddata.md
@@ -0,0 +1,21 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 50
+---
+
+# Work with Collected Data
+
+Follow the steps to work with collected data:
+
+**Step 1 –** On the computer where you executed the add-on, navigate to **Start** > **All
+Programs** > **Event Viewer**.
+
+**Step 2 –** In the Event Viewer dialog, navigate to **Event Viewer (local)** > **Applications and
+Services Logs** >Netwrix Auditor Integration log.
+
+**Step 3 –** Review events.
+
+
+
+Now you can augment Windows event log with data collected by the Auditor.
diff --git a/docs/auditor/10.8/addon/ibmqradar/deployment.md b/docs/auditor/10.8/addon/ibmqradar/deployment.md
new file mode 100644
index 0000000000..10b9b059d7
--- /dev/null
+++ b/docs/auditor/10.8/addon/ibmqradar/deployment.md
@@ -0,0 +1,25 @@
+---
+title: "Choose Appropriate Execution Scenario"
+description: "Choose Appropriate Execution Scenario"
+sidebar_position: 20
+---
+
+# Choose Appropriate Execution Scenario
+
+Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can
+run the add-on on the computer where Auditor is installed or on a remote server. Depending on the
+execution scenario you choose, you have to define a different set of parameters. See the
+[Define Parameters](/docs/auditor/10.8/addon/ibmqradar/parameters.md) topic for additional information.
+
+Netwrix suggests the following execution scenarios:
+
+| Scenario | Example |
+| ------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The add-on runs on the Auditor Server with the current user credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix_Auditor_Add-on_for_IBM_QRadar.ps1 |
+| The add-on runs on the Auditor Server with explicitly defined credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for_IBM* QRadar.ps1 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+| The add-on exports Activity Records from a remote Auditor Server using current user credentials and writes data to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for_IBM* QRadar.ps1 -NetwrixAuditorHost 172.28.6.15 |
+| The add-on exports Activity Records from a remote Auditor Server using explicitly defined credentials and writes data to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for_IBM* QRadar.ps1 -NetwrixAuditorHost 172.28.6.15 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/ibmqradar/integrationeventlog.md b/docs/auditor/10.8/addon/ibmqradar/integrationeventlog.md
new file mode 100644
index 0000000000..2271b809e4
--- /dev/null
+++ b/docs/auditor/10.8/addon/ibmqradar/integrationeventlog.md
@@ -0,0 +1,40 @@
+---
+title: "Integration Event Log Fields"
+description: "Integration Event Log Fields"
+sidebar_position: 60
+---
+
+# Integration Event Log Fields
+
+This section describes how the add-on fills in the Netwrix Auditor **Integration** event log fields
+with data retrieved from Activity Records.
+
+The Activity Record structure is described in the
+[Reference for Creating Activity Records](/docs/auditor/10.8/api/activityrecordreference.md)topic.
+
+| Event log field name | Filled in with value | Details |
+| -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Source | **NA\_\_**`{Data Source Name}`** -OR- **Netwrix \_Auditor_Integration_API\_\_ | Depending on _SetDataSourceAsEventSource_ in-script parameter. |
+| EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). |
+| Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. |
+
+See the [Define Parameters](/docs/auditor/10.8/addon/ibmqradar/parameters.md) topic for additional information.
+
+EventData is filled in with data from the Activity Record fields as follows:
+
+| Entry in EventData | Activity Record field |
+| ------------------ | --------------------- |
+| DataSource | `{DataSource}` |
+| Action | `{Action}` |
+| Message | `{Action ObjectType}` |
+| Where | `{Where}` |
+| ObjectType | `{ObjectType}` |
+| Who | `{Who}` |
+| What | `{What}` |
+| When | `{When}` |
+| Workstation | `{Workstation}` |
+| Details | `{Details}` |
+
+Details are filled in only if this Activity Record field is not empty.
+
+
diff --git a/docs/auditor/10.8/addon/ibmqradar/overview.md b/docs/auditor/10.8/addon/ibmqradar/overview.md
new file mode 100644
index 0000000000..13debeb18a
--- /dev/null
+++ b/docs/auditor/10.8/addon/ibmqradar/overview.md
@@ -0,0 +1,50 @@
+---
+title: "IBM QRadar"
+description: "IBM QRadar"
+sidebar_position: 100
+---
+
+# IBM QRadar
+
+Netwrix Auditor Add-on for SIEM helps you to get most from your SIEM investment. This topic focuses
+on the IBM QRadar SIEM solution.
+
+The add-on works in collaboration with Netwrix Auditor, supplying additional data that augments the
+data collected by the SIEM solution.
+
+The add-on enriches your SIEM data with actionable context in human-readable format, including the
+before and after values for every change and data access attempt, both failed and successful.
+Aggregating data into a single audit trail simplifies analysis, makes your SIEM more cost effective,
+and helps you keep tabs on your IT infrastructure.
+
+Implemented as a PowerShell script, this add-on facilitates the audit data transition from Netwrix
+Auditor to the SIEM solution. All you have to do is provide connection details and schedule the
+script for execution.
+
+On a high level, the add-on works as follows:
+
+1. The add-on connects to the Netwrix Auditor server and retrieves audit data using the Netwrix
+ Auditor Integration API.
+2. The add-on processes Netwrix Auditor-compatible data (Activity Records) into log events that work
+ as input for the SIEM solution. Each event contains the user account, action, time, and other
+ details.
+3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores
+ events there. These events are structured and ready for integration with the SIEM solution.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Netwrix Auditor Integration API.\
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. |
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
diff --git a/docs/auditor/10.8/addon/ibmqradar/parameters.md b/docs/auditor/10.8/addon/ibmqradar/parameters.md
new file mode 100644
index 0000000000..ec0cf1b902
--- /dev/null
+++ b/docs/auditor/10.8/addon/ibmqradar/parameters.md
@@ -0,0 +1,43 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 10
+---
+
+# Define Parameters
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.8/addon/ibmqradar/deployment.md) topic
+for additional information.
+
+| Parameter | Default value | Description |
+| --------------------------------- | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Connection to Netwrix Auditor** | | |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting the Auditor Server and uses default port 9699. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., 172.28.6.15, EnterpriseNAServer, WKS.enterprise.local). To specify a non-default port, provide a server name followed by the port number (e.g., WKS.enterprise.local:9999). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. The account must be assigned the Global reviewer role in Auditor or be a member of the Netwrix Auditor **Client Users** group on the computer hosting Auditor Server. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
+
+## In-Script Parameters
+
+You may also need to modify the parameters that define how EventIDs should be generated for exported
+events, though their default values address most popular usage scenarios. In-script parameters are
+listed in the table below. To modify them, open the script for edit and enter the values you need.
+
+Once set, these parameter values must stay unchanged until the last run of the script — otherwise
+dynamically calculated EventIDs will be modified and applied incorrectly.
+
+| Parameter | Default value | Description |
+| -------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **EventID generation** | | |
+| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](/docs/auditor/10.8/api/postdata/activityrecords.md) topic for additional information. |
+| IncludeDataSourceToMakeEventId\* | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to _TRUE_. |
+| SetDataSourceAsEventCategory | True | Defines whether to fill in Event Category event field with a numeric value derived from the DataSource field of Activity Record. Possible parameter values: - True — generate a numeric value for Event Category using Activity Record field - False — do not generate a numeric value, set Event Category=1 for all cases The Event Category field value is generated through CRC32 calculation that involves the DataSource field of Activity Record. Only the lowest 9 bits of the calculation result are used. |
+| SetDataSourceAsEventSource | False | Defines whether to fill in the Event Source event field with the value from the DataSource field of Activity Record. Possible parameter values: - True — fill in the Event Source with the value from DataSource field of Activity Record, adding the prefix defined by $EventSourcePrefix. Default prefix is _NA_, for example:_NA Windows Server_ - False — set Event Source to _Netwrix_Auditor_Integration_API_ for all cases If the script cannot fill in the Event Source for some DataSource, the default value _Netwrix_Auditor_Integration_API_ will be used. If the event source for particular DataSource does not exist in the Netwrix_Auditor_Integration event log, elevated privileges are required for add-on execution. |
+
+\* When configuring the **IncludeDataSourceToMakeEventId** parameter, consider that the _Object
+Type - Action_ pair may be identical for several data sources (e.g., Object='User' and
+Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID
+(duplicates). See the [Run the Add-On with PowerShell](/docs/auditor/10.8/addon/ibmqradar/powershell.md) topic for additional
+information about duplicates.
diff --git a/docs/auditor/10.8/addon/ibmqradar/powershell.md b/docs/auditor/10.8/addon/ibmqradar/powershell.md
new file mode 100644
index 0000000000..37527d9157
--- /dev/null
+++ b/docs/auditor/10.8/addon/ibmqradar/powershell.md
@@ -0,0 +1,66 @@
+---
+title: "Run the Add-On with PowerShell"
+description: "Run the Add-On with PowerShell"
+sidebar_position: 30
+---
+
+# Run the Add-On with PowerShell
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+Follow the steps to run add-on with PowerShell:
+
+**Step 1 –** On computer where you want to execute the add-on, start Windows PowerShell.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell
+
+Copyright (C) 2014 Microsoft Corporation. All rights reserved.
+
+PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_Add-on_for_IBM_QRadar.ps1 - NetwrixAuditorHost
+172.28.6.15
+
+**NOTE:** If the script path contains spaces (e.g., _C:\Netwrix Add-ons_), embrace it in double
+quotes and insert the ampersand (**&**) symbol in front (e.g., & "_C:\Netwrix Add-ons_").
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of Activity Records stored in Netwrix Auditor Audit Database execution may
+take a while. Ensure the script execution completed successfully. The Netwrix Auditor
+**Integration** event log will be created and filled with events.
+
+By default, the Netwrix Auditor **Integration** event log size is set to **1GB**, and retention is
+set to "_Overwrite events as needed_". See the
+[Integration Event Log Fields](/docs/auditor/10.8/addon/ibmqradar/integrationeventlog.md) topic for additional information.
+
+**NOTE:** Event records with more than 30,000 characters length will be trimmed.
+
+At the end of each run, the script creates the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDs.txt** file. It defines mapping between the
+Activity Records and related Event IDs . You can use this file to track possible duplicates of Event
+IDs created at each script execution. Duplicates, if any, are written to the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDsDuplicates.txt** file.
+
+Similarly, the add-on also creates the **Netwrix_Auditor_Event_Log_Export_Add-on_CategoriesIDs.txt**
+file that defines mapping between the Data Source and related Category ID.
+
+## Applying Filters
+
+Every time you run the script, Auditor makes a timestamp. The next time you run the script, it will
+start retrieving new Activity Records. Consider the following:
+
+- By default, the add-on does not apply any filters when exporting Activity Records. If you are
+ running the add-on for the first time (there is no timestamp yet) with no filters, it will export
+ Activity Records for the last month only. This helps to optimize solution performance during the
+ first run. At the end of the first run, the timestamp will be created, and the next run will start
+ export from that timestamp.
+
+- However, if you have specified a time period for Activity Records to be exported, then this filter
+ will be applied at the add-on first run and the runs that follow.
diff --git a/docs/auditor/10.8/addon/intelsecurity/_category_.json b/docs/auditor/10.8/addon/intelsecurity/_category_.json
new file mode 100644
index 0000000000..1395781e14
--- /dev/null
+++ b/docs/auditor/10.8/addon/intelsecurity/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Intel Security",
+ "position": 110,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/intelsecurity/automate.md b/docs/auditor/10.8/addon/intelsecurity/automate.md
new file mode 100644
index 0000000000..62b9a7045a
--- /dev/null
+++ b/docs/auditor/10.8/addon/intelsecurity/automate.md
@@ -0,0 +1,35 @@
+---
+title: "Automate Add-On Execution"
+description: "Automate Add-On Execution"
+sidebar_position: 40
+---
+
+# Automate Add-On Execution
+
+To ensure you feed the most recent data to your SIEM solution, Netwrix recommends scheduling a daily
+task for running the add-on.
+
+**Perform the following steps to create a scheduled task:**
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task Scheduler**.
+
+**Step 2 –** On the **General** tab, specify a task name. Make sure the account that runs the task
+has all necessary rights and permissions.
+
+**Step 3 –** On the **Triggers** tab, click **New** and define the schedule. This option controls
+how often audit data is exported from Auditor and saved to event log. Netwrixrecommends scheduling a
+daily task.
+
+**Step 4 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information:
+
+| Option | Value |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Action | Set to "_Start a program_". |
+| Program/script | Input "_Powershell.exe_". |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix_Auditor_Add-on_for_Intel_Security.ps1" -NetwrixAuditorHost 172.28.6.15 |
+
+**Step 5 –** Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/intelsecurity/collecteddata.md b/docs/auditor/10.8/addon/intelsecurity/collecteddata.md
new file mode 100644
index 0000000000..6f1f0a7795
--- /dev/null
+++ b/docs/auditor/10.8/addon/intelsecurity/collecteddata.md
@@ -0,0 +1,21 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 50
+---
+
+# Work with Collected Data
+
+Follow the steps to work with collected data:
+
+**Step 1 –** On the computer where you executed the add-on, navigate to **Start** > **All
+Programs** > **Event Viewer**.
+
+**Step 2 –** In the Event Viewer dialog, navigate to **Event Viewer (local)** > **Applications and
+Services Logs** >Netwrix Auditor Integration log.
+
+**Step 3 –** Review events.
+
+
+
+Now you can augment Windows event log with data collected by the Auditor.
diff --git a/docs/auditor/10.8/addon/intelsecurity/deployment.md b/docs/auditor/10.8/addon/intelsecurity/deployment.md
new file mode 100644
index 0000000000..f7cae2032b
--- /dev/null
+++ b/docs/auditor/10.8/addon/intelsecurity/deployment.md
@@ -0,0 +1,25 @@
+---
+title: "Choose Appropriate Execution Scenario"
+description: "Choose Appropriate Execution Scenario"
+sidebar_position: 20
+---
+
+# Choose Appropriate Execution Scenario
+
+Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can
+run the add-on on the computer where Auditor is installed or on a remote server. Depending on the
+execution scenario you choose, you have to define a different set of parameters. See the
+[Define Parameters](/docs/auditor/10.8/addon/intelsecurity/parameters.md) topic for additional information.
+
+Netwrix suggests the following execution scenarios:
+
+| Scenario | Example |
+| ------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The add-on runs on the Auditor Server with the current user credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix_Auditor_Add-on_for_Intel_Security.ps1 |
+| The add-on runs on the Auditor Server with explicitly defined credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix_Auditor_Add-on_for_Intel_Security.ps1 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+| The add-on exports Activity Records from a remote Auditor Server using current user credentials and writes data to a local event log. | C:\Add-ons\Netwrix_Auditor_Add-on_for_Intel_Security.ps1-NetwrixAuditorHost 172.28.6.15 |
+| The add-on exports Activity Records from a remote Auditor Server using explicitly defined credentials and writes data to a local event log. | C:\Add-ons\Netwrix_Auditor_Add-on_for_Intel_Security.ps1-NetwrixAuditorHost 172.28.6.15 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/intelsecurity/integrationeventlog.md b/docs/auditor/10.8/addon/intelsecurity/integrationeventlog.md
new file mode 100644
index 0000000000..eb4e547fa7
--- /dev/null
+++ b/docs/auditor/10.8/addon/intelsecurity/integrationeventlog.md
@@ -0,0 +1,40 @@
+---
+title: "Integration Event Log Fields"
+description: "Integration Event Log Fields"
+sidebar_position: 60
+---
+
+# Integration Event Log Fields
+
+This section describes how the add-on fills in the Netwrix Auditor **Integration** event log fields
+with data retrieved from Activity Records.
+
+The Activity Record structure is described in the
+[Reference for Creating Activity Records](/docs/auditor/10.8/api/activityrecordreference.md)topic.
+
+| Event log field name | Filled in with value | Details |
+| -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Source | **NA\_\_**`{Data Source Name}`** -OR- **Netwrix \_Auditor_Integration_API\_\_ | Depending on _SetDataSourceAsEventSource_ in-script parameter. |
+| EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). |
+| Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. |
+
+See the [Define Parameters](/docs/auditor/10.8/addon/intelsecurity/parameters.md) topic for additional information.
+
+EventData is filled in with data from the Activity Record fields as follows:
+
+| Entry in EventData | Activity Record field |
+| ------------------ | --------------------- |
+| DataSource | `{DataSource}` |
+| Action | `{Action}` |
+| Message | `{Action ObjectType}` |
+| Where | `{Where}` |
+| ObjectType | `{ObjectType}` |
+| Who | `{Who}` |
+| What | `{What}` |
+| When | `{When}` |
+| Workstation | `{Workstation}` |
+| Details | `{Details}` |
+
+Details are filled in only if this Activity Record field is not empty.
+
+
diff --git a/docs/auditor/10.8/addon/intelsecurity/overview.md b/docs/auditor/10.8/addon/intelsecurity/overview.md
new file mode 100644
index 0000000000..43cfa02874
--- /dev/null
+++ b/docs/auditor/10.8/addon/intelsecurity/overview.md
@@ -0,0 +1,50 @@
+---
+title: "Intel Security"
+description: "Intel Security"
+sidebar_position: 110
+---
+
+# Intel Security
+
+Netwrix Auditor Add-on for SIEM helps you to get most from your SIEM investment. This topic focuses
+on the Intel Security SIEM solution.
+
+The add-on works in collaboration with Netwrix Auditor, supplying additional data that augments the
+data collected by the SIEM solution.
+
+The add-on enriches your SIEM data with actionable context in human-readable format, including the
+before and after values for every change and data access attempt, both failed and successful.
+Aggregating data into a single audit trail simplifies analysis, makes your SIEM more cost effective,
+and helps you keep tabs on your IT infrastructure.
+
+Implemented as a PowerShell script, this add-on facilitates the audit data transition from Netwrix
+Auditor to the SIEM solution. All you have to do is provide connection details and schedule the
+script for execution.
+
+On a high level, the add-on works as follows:
+
+1. The add-on connects to the Netwrix Auditor server and retrieves audit data using the Netwrix
+ Auditor Integration API.
+2. The add-on processes Netwrix Auditor-compatible data (Activity Records) into log events that work
+ as input for the SIEM solution. Each event contains the user account, action, time, and other
+ details.
+3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores
+ events there. These events are structured and ready for integration with the SIEM solution.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Netwrix Auditor Integration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. |
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
diff --git a/docs/auditor/10.8/addon/intelsecurity/parameters.md b/docs/auditor/10.8/addon/intelsecurity/parameters.md
new file mode 100644
index 0000000000..3822b8cc1e
--- /dev/null
+++ b/docs/auditor/10.8/addon/intelsecurity/parameters.md
@@ -0,0 +1,43 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 10
+---
+
+# Define Parameters
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.8/addon/intelsecurity/deployment.md) topic
+for additional information.
+
+| Parameter | Default value | Description |
+| --------------------------------- | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Connection to Netwrix Auditor** | | |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting the Auditor Server and uses default port 9699. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., 172.28.6.15, EnterpriseNAServer, WKS.enterprise.local). To specify a non-default port, provide a server name followed by the port number (e.g., WKS.enterprise.local:9999). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. The account must be assigned the Global reviewer role in Auditor or be a member of the Netwrix Auditor **Client Users** group on the computer hosting Auditor Server. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
+
+## In-Script Parameters
+
+You may also need to modify the parameters that define how EventIDs should be generated for exported
+events, though their default values address most popular usage scenarios. In-script parameters are
+listed in the table below. To modify them, open the script for edit and enter the values you need.
+
+Once set, these parameter values must stay unchanged until the last run of the script — otherwise
+dynamically calculated EventIDs will be modified and applied incorrectly.
+
+| Parameter | Default value | Description |
+| -------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **EventID generation** | | |
+| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](/docs/auditor/10.8/api/postdata/activityrecords.md) topic for additional information. |
+| IncludeDataSourceToMakeEventId\* | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to _TRUE_. |
+| SetDataSourceAsEventCategory | True | Defines whether to fill in Event Category event field with a numeric value derived from the DataSource field of Activity Record. Possible parameter values: - True — generate a numeric value for Event Category using Activity Record field - False — do not generate a numeric value, set Event Category=1 for all cases The Event Category field value is generated through CRC32 calculation that involves the DataSource field of Activity Record. Only the lowest 9 bits of the calculation result are used. |
+| SetDataSourceAsEventSource | False | Defines whether to fill in the Event Source event field with the value from the DataSource field of Activity Record. Possible parameter values: - True — fill in the Event Source with the value from DataSource field of Activity Record, adding the prefix defined by $EventSourcePrefix. Default prefix is _NA_, for example:_NA Windows Server_ - False — set Event Source to _Netwrix_Auditor_Integration_API_ for all cases If the script cannot fill in the Event Source for some DataSource, the default value _Netwrix_Auditor_Integration_API_ will be used. If the event source for particular DataSource does not exist in the Netwrix_Auditor_Integration event log, elevated privileges are required for add-on execution. |
+
+\* When configuring the **IncludeDataSourceToMakeEventId** parameter, consider that the _Object
+Type - Action_ pair may be identical for several data sources (e.g., Object='User' and
+Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID
+(duplicates). See the [Run the Add-On with PowerShell](/docs/auditor/10.8/addon/ibmqradar/powershell.md) topic for
+additional information about duplicates.
diff --git a/docs/auditor/10.8/addon/intelsecurity/powershell.md b/docs/auditor/10.8/addon/intelsecurity/powershell.md
new file mode 100644
index 0000000000..b47e6f0247
--- /dev/null
+++ b/docs/auditor/10.8/addon/intelsecurity/powershell.md
@@ -0,0 +1,66 @@
+---
+title: "Run the Add-On with PowerShell"
+description: "Run the Add-On with PowerShell"
+sidebar_position: 30
+---
+
+# Run the Add-On with PowerShell
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+**To run the script with PowerShell:**
+
+**Step 1 –** On computer where you want to execute the add-on, start **Windows PowerShell**.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell
+
+Copyright (C) 2014 Microsoft Corporation. All rights reserved.
+
+PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_Add-on_for_Intel_Security.ps1 - NetwrixAuditorHost
+172.28.6.15
+
+**NOTE:** If the script path contains spaces (e.g., _C:\Netwrix Add-ons_), embrace it in double
+quotes and insert the ampersand (**&**) symbol in front (e.g., & "_C:\Netwrix Add-ons_").
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of Activity Records stored in Netwrix Auditor Audit Database execution may
+take a while. Ensure the script execution completed successfully. The Netwrix Auditor
+**Integration** event log will be created and filled with events.
+
+By default, the Netwrix Auditor **Integration** event log size is set to 1GB, and retention is set
+to "_Overwrite events as needed_". See the [Integration Event Log Fields](/docs/auditor/10.8/addon/intelsecurity/integrationeventlog.md)
+topic for additional information.
+
+**NOTE:** Event records with more than 30,000 characters length will be trimmed.
+
+At the end of each run, the script creates the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDs.txt** file. It defines mapping between the
+Activity Records and related Event IDs . You can use this file to track possible duplicates of Event
+IDs created at each script execution. Duplicates, if any, are written to the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDsDuplicates.txt** file.
+
+Similarly, the add-on also creates the **Netwrix_Auditor_Event_Log_Export_Add-on_CategoriesIDs.txt**
+file that defines mapping between the Data Source and related Category ID.
+
+## Applying Filters
+
+Every time you run the script, Auditor makes a timestamp. The next time you run the script, it will
+start retrieving new Activity Records. Consider the following:
+
+- By default, the add-on does not apply any filters when exporting Activity Records. If you are
+ running the add-on for the first time (there is no timestamp yet) with no filters, it will export
+ Activity Records for the last month only. This helps to optimize solution performance during the
+ first run. At the end of the first run, the timestamp will be created, and the next run will start
+ export from that timestamp.
+
+- However, if you have specified a time period for Activity Records to be exported, then this filter
+ will be applied at the add-on first run and the runs that follow.
diff --git a/docs/auditor/10.8/addon/linux/_category_.json b/docs/auditor/10.8/addon/linux/_category_.json
new file mode 100644
index 0000000000..0f7daf2953
--- /dev/null
+++ b/docs/auditor/10.8/addon/linux/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Linux Generic Syslog",
+ "position": 120,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/linux/collecteddata.md b/docs/auditor/10.8/addon/linux/collecteddata.md
new file mode 100644
index 0000000000..2435ba82e2
--- /dev/null
+++ b/docs/auditor/10.8/addon/linux/collecteddata.md
@@ -0,0 +1,21 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 30
+---
+
+# Work with Collected Data
+
+Follow the steps to search for collected data:
+
+**Step 1 –** Start the Auditor client and navigate to **Search**.
+
+**Step 2 –** Click **Search**.
+
+**NOTE:** You might want to apply a filter to narrow down your search results to the Netwrix API
+data source only.
+
+## Expand List of Gathered Events
+
+Based on the activity you get, you may want to adjust the processing rules, add other relevant
+events, etc. To do that, copy and edit the file with processing rules, and then restart the service.
diff --git a/docs/auditor/10.8/addon/linux/install.md b/docs/auditor/10.8/addon/linux/install.md
new file mode 100644
index 0000000000..955178db1f
--- /dev/null
+++ b/docs/auditor/10.8/addon/linux/install.md
@@ -0,0 +1,24 @@
+---
+title: "Install Add-On"
+description: "Install Add-On"
+sidebar_position: 10
+---
+
+# Install Add-On
+
+Follow the steps to install the Add-On:
+
+**Step 1 –** Navigate to your add-on package.
+
+**Step 2 –** Unzip the Add-On to a desired folder.
+
+**Step 3 –** Run the installation package.
+
+**Step 4 –** Accept the license agreement and follow the instructions of the setup wizard.
+
+**Step 5 –** On the **Destination Folder** step, specify the installation folder (_C:\Program Files
+(x86)\Netwrix Add-ons\_ by default).
+
+**Step 6 –** Click **Install**.
+
+**Step 7 –** When done, click **Finish**.
diff --git a/docs/auditor/10.8/addon/linux/overview.md b/docs/auditor/10.8/addon/linux/overview.md
new file mode 100644
index 0000000000..775fca57d6
--- /dev/null
+++ b/docs/auditor/10.8/addon/linux/overview.md
@@ -0,0 +1,43 @@
+---
+title: "Linux Generic Syslog"
+description: "Linux Generic Syslog"
+sidebar_position: 120
+---
+
+# Linux Generic Syslog
+
+The add-on works in collaboration with Netwrix Auditor, supplying data about activity on your
+Linux-based devices. Aggregating data into a single audit trail simplifies analysis, makes activity
+monitoring more cost effective, and helps you keep tabs on your IT infrastructure.
+
+Implemented as a service, this add-on facilitates the data transition from Linux-based systems to
+Netwrix Auditor. All you have to do is provide connection details and specify parsing rules.
+
+On a high level, the add-on works as follows:
+
+**Step 1 –** The add-on listens to the specified UDP ports and captures designated Syslog messages.
+
+**Step 2 –** Out of the box, messages from Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise
+Server 12, openSUSE42, and Ubuntu 16 are supported. For other distributions, deployment of the
+rsyslog package may be required. You can edit the add-on configuration to extend the captured
+message list.
+
+**Step 3 –** The add-on processes these events into Netwrix Auditor-compatible format (Activity
+Records). Each Activity Record contains the user account, action, time, and other details.
+
+**Step 4 –** Using the Integration API, the add-on sends the activity records to the Netwrix Auditor
+Server, which writes them to the Long-Term Archive and the Audit Database.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the NIntegration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ----------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Netwrix Auditor Server side | - The Audit Database settings are configured in Auditor Server. - The TCP **9699** port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Contributor role in Auditor. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the add-on will be installed | - The UDP 514 port is open for inbound connections. **CAUTION:** UPD 514 port can only be used by one service, otherwise the following error will occur: [ERROR] Error occurred when starting the syslog udp listener. Only one usage of each socket address (protocol/network address/port) is normally permitted - .Net Framework [3.5 SP1](http://www.microsoft.com/en-us/download/details.aspx?id=22), [4.0](https://www.microsoft.com/en-us/download/details.aspx?id=17851), [4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653), or [4.6](https://www.microsoft.com/en-us/download/details.aspx?id=48130) is installed. |
+| On the target syslog-based platform | Outbound UDP 514 port must be enabled. The **Syslog daemon** must be configured to redirect events. The procedure below explains how to configure redirection. **NOTE:** Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise Server 12, openSUSE 42, and Ubuntu 16 are supported out of the box. For other distributions, deployment of the rsyslog package may be required. - On Red Hat Enterprise Linux 7, perform the following steps: **Step 5 –** Open the **/ etc/ rsyslog.conf** file. **Step 6 –** Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where **name** is a FQDN, Net BIOSname or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format` **Step 7 –** Launch the **RHEL console** and execute the following command: `service rsyslog restart` - On Ubuntu 16, perform the following steps: **Step 1 –** Navigate to the **/ etc/ rsyslog.d/ 50-default.conf** file. **Step 2 –** Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where **name** is a FQDN, Net BIOSname or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_SyslogProtocol23Format` **Step 3 –** Launch the **UBUNTU console** and execute the following command: `service rsyslog restart` |
diff --git a/docs/auditor/10.8/addon/linux/parameters.md b/docs/auditor/10.8/addon/linux/parameters.md
new file mode 100644
index 0000000000..370912a9ca
--- /dev/null
+++ b/docs/auditor/10.8/addon/linux/parameters.md
@@ -0,0 +1,30 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 20
+---
+
+# Define Parameters
+
+The configuration wizard opens in the default web browser:
+
+
+
+Click **Proceed** and complete the following fields:
+
+| Option | Description |
+| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Specify General Settings | |
+| Listed UDP port | Specify UDP port for listening incoming events. (**514** by default). |
+| Auditor Endpoint | Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hostingAuditor Server and uses default port _9699_. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15_, _EnterpriseNAServer_, _WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.ent erprise.local:9999_). Do not modify the endpoint part (_/ netwrix/ api_ ) |
+| Certificate Thumbprint | Netwrix Auditor Certificate Thumbprint Property. Possible values: - `Empty`—Check Auditor certificate via Windows Certificate Store. - `AB:BB:CC`—Check Auditor Server certificate thumbprint identifier. - `NOCHECK`—Do not check Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
+| Specify Active Directory credentials | |
+| Username | Provide the name of the account under which the service runs. Unless specified, the service runs under the account currently logged on. |
+| Password | Provide the password for the selected account. |
+| Auditor Monitoring Plan settings | |
+| Auditor Plan | Unless specified, data is written to **Netwrix_Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add- on, make sure a dedicated plan is created in Auditor, the Netwrix **API** data source is added to the plan and enabled for monitoring. Otherwise, the add- on will not be able to write data to the Audit Database. |
+| Auditor Plan Item | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item inAuditor in advance. |
+| Accept List | |
+| Address | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. |
+
+Click **Run** to start collecting data with the Add-On.
diff --git a/docs/auditor/10.8/addon/logrhythm/_category_.json b/docs/auditor/10.8/addon/logrhythm/_category_.json
new file mode 100644
index 0000000000..42addba061
--- /dev/null
+++ b/docs/auditor/10.8/addon/logrhythm/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "LogRhythm",
+ "position": 130,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/logrhythm/automate.md b/docs/auditor/10.8/addon/logrhythm/automate.md
new file mode 100644
index 0000000000..40abd9569c
--- /dev/null
+++ b/docs/auditor/10.8/addon/logrhythm/automate.md
@@ -0,0 +1,33 @@
+---
+title: "Automate Add-On Execution"
+description: "Automate Add-On Execution"
+sidebar_position: 40
+---
+
+# Automate Add-On Execution
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task Scheduler**.
+
+**Step 2 –** On the **General** tab, specify a task name. Make sure the account that runs the task
+has all necessary rights and permissions.
+
+**Step 3 –** On the **Triggers** tab, click **New** and define the schedule. This option controls
+how often audit data is exported from Auditor and saved to event log. Netwrixrecommends scheduling a
+daily task.
+
+**Step 4 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information:
+
+| Option | Value |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Action | Set to "_Start a program_". |
+| Program/script | Input "_Powershell.exe_". |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix_Auditor_Add-on_for_LogRhythm.ps1" -NetwrixAuditorHost 172.28.6.15 |
+
+**Step 5 –** Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/logrhythm/collecteddata.md b/docs/auditor/10.8/addon/logrhythm/collecteddata.md
new file mode 100644
index 0000000000..4eb4fba982
--- /dev/null
+++ b/docs/auditor/10.8/addon/logrhythm/collecteddata.md
@@ -0,0 +1,21 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 50
+---
+
+# Work with Collected Data
+
+Follow the steps to work with collected data.
+
+**Step 1 –** On the computer where you executed the add-on, navigate to **Start** > **All
+Programs** > **Event Viewer**.
+
+**Step 2 –** In the Event Viewer dialog, navigate to **Event Viewer (local)** > **Applications and
+Services Logs** >Netwrix Auditor Integration log.
+
+**Step 3 –** Review events.
+
+
+
+Now you can augment Windows event log with data collected by the Auditor.
diff --git a/docs/auditor/10.8/addon/logrhythm/deployment.md b/docs/auditor/10.8/addon/logrhythm/deployment.md
new file mode 100644
index 0000000000..5fdc104b2a
--- /dev/null
+++ b/docs/auditor/10.8/addon/logrhythm/deployment.md
@@ -0,0 +1,25 @@
+---
+title: "Choose Appropriate Execution Scenario"
+description: "Choose Appropriate Execution Scenario"
+sidebar_position: 20
+---
+
+# Choose Appropriate Execution Scenario
+
+Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can
+run the add-on on the computer where Auditor is installed or on a remote server. Depending on the
+execution scenario you choose, you have to define a different set of parameters. See the
+[Define Parameters](/docs/auditor/10.8/addon/logrhythm/parameters.md) topic for additional information.
+
+Netwrix suggests the following execution scenarios:
+
+| Scenario | Example |
+| ------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The add-on runs on theAuditorServer with the current user credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix_Auditor_Add-on_for_LogRhythm.ps1 |
+| The add-on runs on the Auditor Server with explicitly defined credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* LogRhythm.ps1 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+| The add-on exports Activity Records from a remote Auditor Server using current user credentials and writes data to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* LogRhythm.ps1-NetwrixAuditorHost 172.28.6.15 |
+| The add-on exports Activity Records from a remote Auditor Server using explicitly defined credentials and writes data to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* LogRhythm.ps1-NetwrixAuditorHost 172.28.6.15 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/logrhythm/integrationeventlog.md b/docs/auditor/10.8/addon/logrhythm/integrationeventlog.md
new file mode 100644
index 0000000000..8aaeab96fe
--- /dev/null
+++ b/docs/auditor/10.8/addon/logrhythm/integrationeventlog.md
@@ -0,0 +1,40 @@
+---
+title: "Integration Event Log Fields"
+description: "Integration Event Log Fields"
+sidebar_position: 60
+---
+
+# Integration Event Log Fields
+
+This section describes how the add-on fills in the Netwrix Auditor **Integration** event log fields
+with data retrieved from Activity Records.
+
+The Activity Record structure is described in the
+[Reference for Creating Activity Records](/docs/auditor/10.8/api/activityrecordreference.md)topic.
+
+| Event log field name | Filled in with value | Details |
+| -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Source | **NA\_\_**`{Data Source Name}`** -OR- **Netwrix \_Auditor_Integration_API\_\_ | Depending on _SetDataSourceAsEventSource_ in-script parameter. |
+| EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). |
+| Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. |
+
+See the [Define Parameters](/docs/auditor/10.8/addon/logrhythm/parameters.md) topic for additional information.
+
+EventData is filled in with data from the Activity Record fields as follows:
+
+| Entry in EventData | Activity Record field |
+| ------------------ | --------------------- |
+| DataSource | `{DataSource}` |
+| Action | `{Action}` |
+| Message | `{Action ObjectType}` |
+| Where | `{Where}` |
+| ObjectType | `{ObjectType}` |
+| Who | `{Who}` |
+| What | `{What}` |
+| When | `{When}` |
+| Workstation | `{Workstation}` |
+| Details | `{Details}` |
+
+Details are filled in only if this Activity Record field is not empty.
+
+
diff --git a/docs/auditor/10.8/addon/logrhythm/overview.md b/docs/auditor/10.8/addon/logrhythm/overview.md
new file mode 100644
index 0000000000..de47365a9e
--- /dev/null
+++ b/docs/auditor/10.8/addon/logrhythm/overview.md
@@ -0,0 +1,50 @@
+---
+title: "LogRhythm"
+description: "LogRhythm"
+sidebar_position: 130
+---
+
+# LogRhythm
+
+Netwrix Auditor Add-on for SIEM helps you to get most from your SIEM investment. This topic focuses
+on the LogRhythm SIEM solution.
+
+The add-on works in collaboration with Netwrix Auditor, supplying additional data that augments the
+data collected by the SIEM solution.
+
+The add-on enriches your SIEM data with actionable context in human-readable format, including the
+before and after values for every change and data access attempt, both failed and successful.
+Aggregating data into a single audit trail simplifies analysis, makes your SIEM more cost effective,
+and helps you keep tabs on your IT infrastructure.
+
+Implemented as a PowerShell script, this add-on facilitates the audit data transition from Netwrix
+Auditor to the SIEM solution. All you have to do is provide connection details and schedule the
+script for execution.
+
+On a high level, the add-on works as follows:
+
+1. The add-on connects to the Netwrix Auditor server and retrieves audit data using the Netwrix
+ Auditor Integration API.
+2. The add-on processes Netwrix Auditor-compatible data (Activity Records) into log events that work
+ as input for the SIEM solution. Each event contains the user account, action, time, and other
+ details.
+3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores
+ events there. These events are structured and ready for integration with the SIEM solution.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Netwrix Auditor Integration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. |
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
diff --git a/docs/auditor/10.8/addon/logrhythm/parameters.md b/docs/auditor/10.8/addon/logrhythm/parameters.md
new file mode 100644
index 0000000000..751c5b06cf
--- /dev/null
+++ b/docs/auditor/10.8/addon/logrhythm/parameters.md
@@ -0,0 +1,43 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 10
+---
+
+# Define Parameters
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.8/addon/logrhythm/deployment.md) topic
+for additional information.
+
+| Parameter | Default value | Description |
+| --------------------------------- | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Connection to Netwrix Auditor** | | |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting the Auditor Server and uses default port 9699. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., 172.28.6.15, EnterpriseNAServer, WKS.enterprise.local). To specify a non-default port, provide a server name followed by the port number (e.g., WKS.enterprise.local:9999). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. The account must be assigned the Global reviewer role in Auditor or be a member of the Netwrix Auditor **Client Users** group on the computer hosting Auditor Server. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
+
+## In-Script Parameters
+
+You may also need to modify the parameters that define how EventIDs should be generated for exported
+events, though their default values address most popular usage scenarios. In-script parameters are
+listed in the table below. To modify them, open the script for edit and enter the values you need.
+
+Once set, these parameter values must stay unchanged until the last run of the script — otherwise
+dynamically calculated EventIDs will be modified and applied incorrectly.
+
+| Parameter | Default value | Description |
+| -------------------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **EventID generation** | | |
+| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](/docs/auditor/10.8/api/postdata/activityrecords.md) topic for additional information. |
+| IncludeDataSourceToMakeEventId\* | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to _TRUE_. |
+| SetDataSourceAsEventCategory | True | Defines whether to fill in Event Category event field with a numeric value derived from the DataSource field of Activity Record. Possible parameter values: - True — generate a numeric value for Event Category using Activity Record field - False — do not generate a numeric value, set Event Category=1 for all cases The Event Category field value is generated through CRC32 calculation that involves the DataSource field of Activity Record. Only the lowest 9 bits of the calculation result are used. |
+| SetDataSourceAsEventSource | False | Defines whether to fill in the Event Source event field with the value from the DataSource field of Activity Record. Possible parameter values: - True — fill in the Event Source with the value from DataSource field of Activity Record, adding the prefix defined by $EventSourcePrefix. Default prefix is _NA_, for example:_NA Windows Server_ - False — set Event Source to _Netwrix_Auditor_Integration_API_ for all cases If the script cannot fill in the Event Source for some DataSource, the default value _Netwrix_Auditor_Integration_API_ will be used. If the event source for particular DataSource does not exist in the Netwrix_Auditor_Integration event log, elevated privileges are required for add-on execution. |
+
+\* When configuring the **IncludeDataSourceToMakeEventId** parameter, consider that the _Object
+Type - Action_ pair may be identical for several data sources (e.g., Object='User' and
+Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID
+(duplicates). See the [Run the Add-On with PowerShell](/docs/auditor/10.8/addon/ibmqradar/powershell.md) topic for
+additional information about duplicates.\*
diff --git a/docs/auditor/10.8/addon/logrhythm/powershell.md b/docs/auditor/10.8/addon/logrhythm/powershell.md
new file mode 100644
index 0000000000..3f5b5be75f
--- /dev/null
+++ b/docs/auditor/10.8/addon/logrhythm/powershell.md
@@ -0,0 +1,66 @@
+---
+title: "Run the Add-On with PowerShell"
+description: "Run the Add-On with PowerShell"
+sidebar_position: 30
+---
+
+# Run the Add-On with PowerShell
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+Follow the steps to run the script with PowerShell.
+
+**Step 1 –** On computer where you want to execute the add-on, start **Windows PowerShell**.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell
+
+Copyright (C) 2014 Microsoft Corporation. All rights reserved.
+
+PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_Add-on_for_LogRhythm.ps1 - NetwrixAuditorHost
+172.28.6.15
+
+**NOTE:** If the script path contains spaces (e.g., _C:\Netwrix Add-ons_), embrace it in double
+quotes and insert the ampersand (**&**) symbol in front (e.g., & "_C:\Netwrix Add-ons_").
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of Activity Records stored in Netwrix Auditor Audit Database execution may
+take a while. Ensure the script execution completed successfully. The Netwrix Auditor Integration
+event log will be created and filled with events.
+
+By default, the Auditor Integration event log size is set to 1GB, and retention is set to
+"_Overwrite events as needed_". See the [Integration Event Log Fields](/docs/auditor/10.8/addon/logrhythm/integrationeventlog.md) topic
+for additional information.
+
+**NOTE:** Event records with more than 30,000 characters length will be trimmed.
+
+At the end of each run, the script creates the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDs.txt** file. It defines mapping between the
+Activity Records and related Event IDs . You can use this file to track possible duplicates of Event
+IDs created at each script execution. Duplicates, if any, are written to the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDsDuplicates.txt** file.
+
+Similarly, the add-on also creates the **Netwrix_Auditor_Event_Log_Export_Add-on_CategoriesIDs.txt**
+file that defines mapping between the Data Source and related Category ID.
+
+## Applying Filters
+
+Every time you run the script, Auditor makes a timestamp. The next time you run the script, it will
+start retrieving new Activity Records. Consider the following:
+
+- By default, the add-on does not apply any filters when exporting Activity Records. If you are
+ running the add-on for the first time (there is no timestamp yet) with no filters, it will export
+ Activity Records for the last month only. This helps to optimize solution performance during the
+ first run. At the end of the first run, the timestamp will be created, and the next run will start
+ export from that timestamp.
+
+- However, if you have specified a time period for Activity Records to be exported, then this filter
+ will be applied at the add-on first run and the runs that follow.
diff --git a/docs/auditor/10.8/addon/nasuni/_category_.json b/docs/auditor/10.8/addon/nasuni/_category_.json
new file mode 100644
index 0000000000..424d69590e
--- /dev/null
+++ b/docs/auditor/10.8/addon/nasuni/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Nasuni",
+ "position": 140,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/nasuni/collecteddata.md b/docs/auditor/10.8/addon/nasuni/collecteddata.md
new file mode 100644
index 0000000000..0da803a426
--- /dev/null
+++ b/docs/auditor/10.8/addon/nasuni/collecteddata.md
@@ -0,0 +1,32 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 30
+---
+
+# Work with Collected Data
+
+To leverage data collected with the add-on, you can do the following in Auditor:
+
+- Search for required data. For that, start Auditor client and navigate to **Search**. After
+ specifying the criteria you need, click **Search**. You will get a list of activity records with
+ detailed information on who did what in the reported time period.
+
+You can apply a filter to narrow down your search results to the Netwrix **API** data source only.
+
+
+
+- Also, you can click **Tools** in the upper-right corner and select the command you need. For
+ example:
+ - If you want to periodically receive the report on the results of search with the specified
+ criteria, click **Subscribe**. Then specify how you want the report to be delivered – as an
+ email or as a file stored to the file share.
+ - To create an alert on the specific occurrences, click **Create alert**.
+ - To export filtered data to PDF or CSV, click **Export data**.
+- You can also configure and receive alerts on the events you are interested in.
+
+See the following topics for additional information:
+
+- [Alerts](/docs/auditor/10.8/admin/alertsettings/overview.md)
+- [View and Search Collected Data](/docs/auditor/10.8/admin/search/overview.md)
+- [Subscriptions](/docs/auditor/10.8/admin/subscriptions/overview.md)
diff --git a/docs/auditor/10.8/addon/nasuni/install.md b/docs/auditor/10.8/addon/nasuni/install.md
new file mode 100644
index 0000000000..955178db1f
--- /dev/null
+++ b/docs/auditor/10.8/addon/nasuni/install.md
@@ -0,0 +1,24 @@
+---
+title: "Install Add-On"
+description: "Install Add-On"
+sidebar_position: 10
+---
+
+# Install Add-On
+
+Follow the steps to install the Add-On:
+
+**Step 1 –** Navigate to your add-on package.
+
+**Step 2 –** Unzip the Add-On to a desired folder.
+
+**Step 3 –** Run the installation package.
+
+**Step 4 –** Accept the license agreement and follow the instructions of the setup wizard.
+
+**Step 5 –** On the **Destination Folder** step, specify the installation folder (_C:\Program Files
+(x86)\Netwrix Add-ons\_ by default).
+
+**Step 6 –** Click **Install**.
+
+**Step 7 –** When done, click **Finish**.
diff --git a/docs/auditor/10.8/addon/nasuni/overview.md b/docs/auditor/10.8/addon/nasuni/overview.md
new file mode 100644
index 0000000000..dbcf643a16
--- /dev/null
+++ b/docs/auditor/10.8/addon/nasuni/overview.md
@@ -0,0 +1,81 @@
+---
+title: "Nasuni"
+description: "Nasuni"
+sidebar_position: 140
+---
+
+# Nasuni
+
+The add-on works in collaboration with Netwrix Auditor, supplying data about activity on your
+Nasuni-based devices. Aggregating data into a single audit trail simplifies analysis, makes activity
+monitoring more cost effective, and helps you keep tabs on your IT infrastructure.
+
+Implemented as a service, this add-on facilitates the data transition from Nasuni-based systems to
+Netwrix Auditor. All you have to do is provide connect ion details and specify parsing rules.
+
+On a high level, the add-on works as follows:
+
+1. The add-on listens to the specified UDP ports and captures designated Syslog messages.
+2. The add-on processes these events into Netwrix Auditor-compatible format (Activity Records). Each
+ Activity Record contains the user account, action, time, and other details.
+3. Using the Integration API, the add-on sends the activity records to the Netwrix Auditor Server,
+ which writes them to the Long-Term Archive and the Audit Database.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the NIntegration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ----------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| The Auditor Server side | - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the add-on will be installed | - The UDP 514 port is open for inbound connections. - .Net Framework 4.7.2 and above is installed. Review the following Microsoft technical article for additional information on how to install .Net Framework 4.7.2: [Microsoft .NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2). |
+
+### Configure Logging for
+
+Follow the steps to configure the syslog integration.
+
+**Step 1 –** Log in to the Nasuni Management Console and go to the **Console Settings** > **Syslog
+Exports**.
+
+**Step 2 –** In the Network section, specify the **IP Address** and **Port** and save the
+configuration.
+
+**Step 3 –** Configure log settings:
+
+- Set **Send Auditing Messages** to "_ON_";
+- Set **Logging Facility** to default "_Local0 (16)_";
+- Set **Log Level for Audit Message** to "_Info_".
+
+**Step 4 –** Enable auditing:
+
+1. On the Volumes tab, open **Auditing**.
+2. Choose the volume you wish to be audited and click **Edit Volumes**.
+3. Select the **Auditing Enabled** option and choose which Event Types you wish to be reported.
+4. Hit the **Save Auditing Settings** button.
+
+### Accounts and Rights
+
+By default, the add-on will run under the _Local System_ account. The add-on and Auditor must be
+installed on the same server. If a specific account is designated to run the add-on, it needs local
+admin privileges.
+
+### Considerations and Limitations
+
+- The Add-On must be deployed in the same subnet as Nasuni NAS & File Server Silo Consolidation and
+ Auditor.
+- If the monitoring plan name in the _``_ add-on configuration parameter is
+ specified incorrectly, this may lead to temp files generation and, therefore, to inefficient disk
+ space usage.
+- If you are using Netwrix Auditor for Network Devices, the 514 UDP port may be already in use, and
+ you should specify another port when configuring the add-on settings (see the
+ [Install Add-On](/docs/auditor/10.8/addon/nasuni/install.md) and [Define Parameters](/docs/auditor/10.8/addon/nasuni/parameters.md) topics for additional
+ information). Another option is to install the add-on and Auditor Server on different machines.
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
diff --git a/docs/auditor/10.8/addon/nasuni/parameters.md b/docs/auditor/10.8/addon/nasuni/parameters.md
new file mode 100644
index 0000000000..b7e1600c84
--- /dev/null
+++ b/docs/auditor/10.8/addon/nasuni/parameters.md
@@ -0,0 +1,30 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 20
+---
+
+# Define Parameters
+
+The configuration wizard opens in the default web browser:
+
+
+
+Click **Proceed** and complete the following fields:
+
+| Option | Description |
+| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Specify General Settings | |
+| Listed UDP port | Specify UDP port for listening incoming events. (**514** by default). |
+| Auditor Endpoint | Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hostingAuditor Server and uses default port _9699_. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15_, _EnterpriseNAServer_, _WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.ent erprise.local:9999_). Do not modify the endpoint part (_/ netwrix/ api_ ) |
+| Certificate Thumbprint | Netwrix Auditor Certificate Thumbprint Property. Possible values: - `Empty`—Check Auditor certificate via Windows Certificate Store. - `AB:BB:CC`—Check Auditor Server certificate thumbprint identifier. - `NOCHECK`—Do not check Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
+| Specify Active Directory credentials | |
+| Username | Provide the name of the account under which the service runs. Unless specified, the service runs under the account currently logged on. |
+| Password | Provide the password for the selected account. |
+| Auditor Monitoring Plan settings | |
+| Auditor Plan | Unless specified, data is written to **Netwrix_Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add- on, make sure a dedicated plan is created in Auditor, the Netwrix **API** data source is added to the plan and enabled for monitoring. Otherwise, the add- on will not be able to write data to the Audit Database. |
+| Auditor Plan Item | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item inAuditor in advance. |
+| Accept List | |
+| Address | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. |
+
+Click **Run** to start collecting data with the Add-On.
diff --git a/docs/auditor/10.8/addon/nutanixahv/_category_.json b/docs/auditor/10.8/addon/nutanixahv/_category_.json
new file mode 100644
index 0000000000..6580032494
--- /dev/null
+++ b/docs/auditor/10.8/addon/nutanixahv/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Nutanix AHV",
+ "position": 150,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/nutanixahv/collecteddata.md b/docs/auditor/10.8/addon/nutanixahv/collecteddata.md
new file mode 100644
index 0000000000..e3bb323de3
--- /dev/null
+++ b/docs/auditor/10.8/addon/nutanixahv/collecteddata.md
@@ -0,0 +1,33 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 30
+---
+
+# Work with Collected Data
+
+To leverage data collected with the add-on, you can do the following in Auditor:
+
+- Search for required data. For that, start Auditor client and navigate to **Search**. After
+ specifying the criteria you need, click **Search**. You will get a list of activity records with
+ detailed information on who did what in the reported time period.
+
+You might want to apply a filter to narrow down your search results to the Netwrix**API** data
+source only.
+
+
+
+- Also, you can click **Tools** in the upper-right corner and select the command you need. For
+ example:
+ - If you want to periodically receive the report on the results of search with the specified
+ criteria, click **Subscribe**. Then specify how you want the report to be delivered – as an
+ email or as a file stored to the file share.
+ - To create an alert on the specific occurrences, click **Create alert**.
+ - To export filtered data to PDF or CSV, click **Export data**.
+- You can also configure and receive alerts on the events you are interested in.
+
+See the following topics for additional information:
+
+- [Alerts](/docs/auditor/10.8/admin/alertsettings/overview.md)
+- [View and Search Collected Data](/docs/auditor/10.8/admin/search/overview.md)
+- [Subscriptions](/docs/auditor/10.8/admin/subscriptions/overview.md)
diff --git a/docs/auditor/10.8/addon/nutanixahv/deployment.md b/docs/auditor/10.8/addon/nutanixahv/deployment.md
new file mode 100644
index 0000000000..35cd85480c
--- /dev/null
+++ b/docs/auditor/10.8/addon/nutanixahv/deployment.md
@@ -0,0 +1,49 @@
+---
+title: "Deployment Scenarios"
+description: "Deployment Scenarios"
+sidebar_position: 20
+---
+
+# Deployment Scenarios
+
+The Add-On can run on any computer in your environment, except for the machine where your Nutanix
+Prism Central/Element runs. Depending on the deployment scenario you choose, you will need to define
+a different set of parameters
+
+Possible deployment options are as follows:
+
+1. Add-on running on the same machine as Auditor Server.
+2. Add-on running on the remote machine.
+
+## Example 1
+
+- The add-on runs on the Auditor Server.
+- Configuration parameters to specify in **settings.xml** (sample values):
+
+````
+https://172.28.6.19:9699/netwrix/api/v1/activity_records```
+
+``````
+
+``````
+
+Configuration parameters __NetwrixAuditorUserName__ and __NetwrixAuditorPassword__ are not required.
+
+You will be prompted for the corresponding set of credentials (user name and password) when you run the __install.ps1__ script. For that, use the Netwrix Auditor __Add-on for Nutanix AHV Configurator__ tool (see steps 4 and 5 of the [Deploy the Add-On](/docs/auditor/10.8/addon/nutanixahv/install.md)). Credentials for connection to Nutanix Prism server will be then encrypted and stored in the solution configuration. Consider that user account should have the __User Admin__ role in Nutanix Prism.
+
+## Example 2
+
+- The add-on runs on the Auditor Server with the explicitly specified user credentials, or on the remote machine.
+- Configuration parameters to specify in __settings.xml__ (sample values):
+
+ ```
+ https://172.28.6.19:9699/netwrix/api/v1/activity_records```
+
+ ```SecurityOfficer```
+ ``````
+
+ ```NetwrixUser```
+ ``````
+
+Netwrix recommends to create a special user account with permissions to access Auditor and Nutanix server.
+````
diff --git a/docs/auditor/10.8/addon/nutanixahv/install.md b/docs/auditor/10.8/addon/nutanixahv/install.md
new file mode 100644
index 0000000000..acb8bff2a1
--- /dev/null
+++ b/docs/auditor/10.8/addon/nutanixahv/install.md
@@ -0,0 +1,203 @@
+---
+title: "Deploy the Add-On"
+description: "Deploy the Add-On"
+sidebar_position: 10
+---
+
+# Deploy the Add-On
+
+Follow the steps to deploy the Add-On:
+
+**Step 1 –** Prepare Auditorfor data processing.
+
+**Step 2 –** Configure message forwarding for Nutanix Prism.
+
+**Step 3 –** Download the Add-On.
+
+**Step 4 –** Configure Add-On parameters.
+
+**Step 5 –** Connect to Prism Central Server.
+
+**Step 6 –** Register the Add-On
+
+## Prepare Auditor for Data Processing
+
+In Auditor client, go to the Integrations section and verify Integration API settings:
+
+1. Make sure the **Leverage Integration API** is switched to **ON**.
+2. Check the TCP communication port number – default is **9699**.
+
+See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) topic for additional information.
+
+By default, activity records are written to _Netwrix_Auditor_API_ database which is not associated
+with a specific monitoring plan.
+
+Optionally, you can create a dedicated monitoring plan in Auditor. In this case, data will be
+written to a database linked to this plan. Target it at Netwrix API data source and enable for
+monitoring. Add a dedicated item of _Integration_ type to the plan for data to be filtered by item
+name. See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information.
+
+In such scenario, you will need to specify this monitoring plan in the _MonitoringPlan_ and
+_MonitoringPlanItem_ attributes in the add-on configuration parameters. See **Step 4** below for
+details.
+
+## Configure Message Forwarding for Nutanix Prism
+
+To provide for interaction and data flow between Nutanix Prism and the Add-On, you should set up the
+add-on installation server as a remote Syslog listener for Nutanix Prism. For that remote Syslog
+server, you will need to specify the IP address and port for inbound messages. Depending on Nutanix
+Prism server you are using (Element/Central), follow the related procedure below.
+
+### Procedure for Nutanix Prism Element
+
+Follow the steps If you are using Nutanix Prism Element.
+
+**Step 1 –** Connect to a Controller VM (or Nutanix Prism) by SSH or via web console and execute the
+`ncli` command.
+
+**Step 2 –** Find the IP address of the Controller VM in Nutanix web console under **Settings** >
+**General** > **Configure CVM**.
+
+### Procedure for Nutanix Command-Line Interface
+
+Alternatively, you can download and install the _ncli_ (Nutanix command-line interface) on any
+server in your infrastructure, as described in the
+[Nutanix Command-Line Interface (nCLI)](https://portal.nutanix.com/page/documents/details?targetId=Command-Ref-AOS-v55:man-ncli-c.html)
+article, and connect to a Controller VM in your cluster.
+
+Follow the steps if you are using Nutanix command-line interface.
+
+**Step 1 –** Disable it temporarily until you configure a new remote Syslog listener. By default,
+the remote Syslog listening server is enabled. For that, run the following command in ncli:
+
+`ncli> rsyslog-config set-status enable=false`
+
+**Step 2 –** Create a remote Syslog server — a remote server that will operate as a Syslog listener,
+receiving the Syslog messages from Nutanix server. In the integration solution deployment, it will
+be the add-on installation server. Run the following command in _nlci_:
+
+`ncli> rsyslog-config add-server name= ip-address= port= network-protocol=udp`
+
+here:
+
+- `CustomServerName` — remote server that will receive the syslog messages (i.e., server on which
+ the add-on will be deployed)
+- `RemoteIP` — remote server IP address
+- `Port` — Destination port number on the remote server
+
+**Step 3 –** To ensure the server was created successfully, review the list of servers. For that,
+run the following command:
+
+`ncli> rsyslog-config ls-servers`
+
+The server will be added to the cluster automatically.
+
+**Step 4 –** Instruct the AUDIT module of Nutanix solution to forward its log information to the new
+remote syslog listener, and specify the logging level. For that, run the following command:
+
+`ncli> rsyslog-config add-module server-name= module-name=AUDIT include-monitor-logs=false level=notice`
+
+**Step 5 –** Finally, enable syslog forwarding to remote server:
+` ncli> rsyslog-config set-status enable=true`
+
+This syslog server will be added to the cluster automatically.
+
+### Procedure for Nutanix Prism Central
+
+First, provide the new remote Syslog server settings to Nutanix Prism server that will forward
+Syslog messages. For that, follow the steps below:
+
+**Step 1 –** Log in to Nutanix Prism Central.
+
+**Step 2 –** Select **Settings** > **Email and Alerts** > **Syslog Server**.
+
+**Step 3 –** Click **Configure Syslog Server**.
+
+**Step 4 –** Enter remote Syslog server settings you specified at Step 2:
+
+- **Server Name** — name of the remote server.
+- **IP Address** — server IP address.
+- **Port**— port for incoming messages
+
+**Step 5 –** Select **UDP** as communication protocol.
+
+**Step 6 –** Click **Configure**.
+
+Next, for the most detailed logs to be sent to remote Syslog server, set the logging level in Prism
+to _5_ (_Notice_). For that, follow the steps below:
+
+**Step 1 –** Select **Data Source** and click **Edit**.
+
+**Step 2 –** Select **Audit** module and select **5 - Notice** level.
+
+**Step 3 –** Finally, click **Save**.
+
+## Download the Add-On
+
+Download the distribution package from the Netwrix website and unpack it to a folder on the computer
+where you plan to deploy the add-on.
+
+Customers who are logged in to the Netwrix Customer Portal can download the latest version of their
+software products from the My Products page:
+[https://www.netwrix.com/my_products.html](https://www.netwrix.com/my_products.html). See the
+[Customer Portal Access](https://helpcenter.netwrix.com/bundle/NetwrixCustomerPortalAccess/page/Customer_Portal_Access.html)
+topic for information on how to register for a Customer Portal account.
+
+Partners and MSPs who are logged into the Netwrix Partner Portal can download the latest version of
+their software products from the My Product page:
+[https://www.netwrix.com/par/site/products](https://www.netwrix.com/my_products.html). To receive an
+invitation to the Partner Portal, please contact
+[netwrix.msp@netwrix.com](http://netwrix.msp@netwrix.com/).
+
+## Configure Add-On Parameters
+
+Open the add-on folder and edit the **settings.xml** file to configure the add-on parameters:
+
+| Parameter | Default value | Description |
+| ------------------------- | -------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| NetwrixAuditorIntegration | | |
+| NetwrixAuditorEndpoint | https://localhost: 9699/netwrix/api/ v1/activity_records | Auditor server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hosting Auditor Server and uses default port **9699**. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15, EnterpriseNAServer, WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.enterprise.local:9999_). Do not modify the endpoint part (/netwrix/api . . . . ) |
+| CertificateThumbprint | NOCHECK | Auditor Certificate Thumbprint Property. Possible values: - `Empty`—Check Netwrix Auditor certificate via Windows Certificate Store. - `AB:BB:CC.`—Check Netwrix Auditor Server certificate thumbprint identifier. - `NOCHECK`—Do not check Netwrix Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
+| DateTimeFormat | yyyy-MM-ddTHH:mm:ssZ | Auditor time format. By default, set to zero offset. |
+| MonitoringPlan | — | Unless specified, data is written to Netwrix_Auditor_API database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add-on, make sure a dedicated plan is created in Auditor, the Netwrix API data source is added to the plan and enabled for monitoring. Otherwise, the add-on will not be able to write data to the Audit Database. |
+| MonitoringPlanItem | — | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item in Auditor in advance. |
+| UserName | Current user credentials | Credentials to access Auditor server. Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor server, specify the account name in the _DOMAIN\username_ format. |
+| Password | Current user credentials | Unless specified, the service runs with the current user credentials. Provide a different password if necessary. |
+| ARsNumberAtTime | | Maximum number of Audit Records that can be sent to Auditor at a time. |
+| ARsSendingPeriodicity | | Periodic time interval for sending Activity Records (in seconds). |
+| PauseWhenSendingFailed | | Pause after a failed attempt to send Activity Records (in seconds). |
+| **DataCollection** | | |
+| ListenUDPPort | 514 | UDP port for receiving incoming Syslog messages. Make sure that this port is not used by any other add-ons or applications (for example, Netwrix Auditor for Network Devices); otherwise specify another port here. |
+| StateUpdatingPeriodicity | | Periodic time interval for updating state of clusters (in seconds). |
+| EventsReadingPeriodicity | | Periodic time interval for reading events (in seconds). Target endpoint: _/api/nutanix/v2.0/events_ |
+| PageLength | | The number of objects loaded with one request. |
+| ShortTermFolder | | Short term folder for collected data (full or local path). |
+
+If you modify parameters in the **settings.xml** file, remember to save the changes and then restart
+the **Netwrix Auditor Add-on for Nutanix AHV** service for them to take effect.
+
+If you need to change user name or password for accessing Prism Central, you should run
+Netwrix.IntegrationConfiguration.exe file that will prompt you for the new credentials (see step 5
+below). Then restart the Netwrix Auditor Add-on for Nutanix AHV service for the changes to take
+effect.
+
+## Connect to Prism Central Server
+
+Run the Netwrix.IntegrationConfiguration.exe file and specify the following:
+
+- Prism IP address – IP address of Prism Cental server.
+- User name – Specify a user name to connect to Prism Central server.
+- Password – Specify password fof the account used to connect to Prism Central server.
+
+These parameters will be configured automatically by **install.ps1** script. If you need to modify
+it later, use this configurator from the add-on package.
+
+Credentials for connection to Nutanix Prism server will be then encrypted and stored in the solution
+configuration. Consider that user account should have the **User Admin** role in Nutanix Prism.
+
+## Register the Add-On
+
+Run the **install.ps1** PowerShell script to register the add-on service. You will be also prompted
+to specify credentials for accessing Nutanix Prism Central. These credentials will be encrypted and
+used for secure communication. If you need to modify them later, run the
+Netwrix.IntegrationConfiguration.exe file from the add-on package.
diff --git a/docs/auditor/10.8/addon/nutanixahv/monitoredevents.md b/docs/auditor/10.8/addon/nutanixahv/monitoredevents.md
new file mode 100644
index 0000000000..2e2795a5d3
--- /dev/null
+++ b/docs/auditor/10.8/addon/nutanixahv/monitoredevents.md
@@ -0,0 +1,34 @@
+---
+title: "Monitoring Scope"
+description: "Monitoring Scope"
+sidebar_position: 40
+---
+
+# Monitoring Scope
+
+Review a full list of object types and activities monitored on Nutanix Prism with the add-on.
+
+| Object | Action | Property |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------ | -------------------------------------------------------------------------------------------------------------------------------- |
+| Virtual Machine1 | Create/Delete Clone Migrate Rename State change (Power off/on, Pause etc.) Restore from snapshot Hardware Configuration change | Name MAC Address VLAN Name Connection State Number Of Processors Cores Per Processor Memory Size (MiB) Disk Size (Bytes) Host IP |
+| Host (Node) 2 | Add3/Remove4 | IP5 |
+| Host Cluster | - | - |
+| VM Network (Subnet) | - | - |
+| Local User2 | • Create/Delete • Properties change6 • Roles change6 • Log in/out • Password Change | • Username • First Name6 • Last Name6 • Email6 • Language6 • Roles6 |
+| Authentication Configuration2 | • Authentication type change | • Authentication Types |
+
+1 — Syslog
+
+2 — Events (API v2.0)
+
+3 — User not applicable
+
+4 — Host remove event consist of 2 events (see Appendix B):
+
+- Host marked for removal: this event has a “Who”
+- Host deleted: this event occurs when the host deletion task completes.
+
+5 — The host add event contains the IP address of the host Controller VM, and not the host IP
+address.
+
+6 — UI API.
diff --git a/docs/auditor/10.8/addon/nutanixahv/overview.md b/docs/auditor/10.8/addon/nutanixahv/overview.md
new file mode 100644
index 0000000000..ba9ed2bf68
--- /dev/null
+++ b/docs/auditor/10.8/addon/nutanixahv/overview.md
@@ -0,0 +1,139 @@
+---
+title: "Nutanix AHV"
+description: "Nutanix AHV"
+sidebar_position: 150
+---
+
+# Nutanix AHV
+
+Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables
+control over changes, configurations and access in hybrid IT environments to protect data regardless
+of its location. The platform provides security analytics to detect anomalies in user behavior and
+investigate threat patterns before a data breach occurs.
+
+Nutanix AHV is a virtualization platform within the Nutanix Enterprise Cloud architecture. It
+provides facilities for VM deployment, operation and centralized management. Nutanix AHV is a fully
+integrated component of the Nutanix Enterprise Cloud.
+
+Virtualization teams, Managed Service Providers and other IT professionals need to detect who does
+what in the Nutanix Hyperconverged infrastructure. For that, a unified audit trail is required,
+supporting detailed Nutanix monitoring and effective response to changes.
+
+For that purpose, you can use a specially designed add-on that supports audit for Nutanix AHV and
+Nutanix Prism/Element. The add-on works in collaboration with Auditor, supplying data about
+operations on your Nutanix AHV to Netwrix database. Aggregating data into a single audit trail
+simplifies analysis, makes activity monitoring more cost-effective, and helps you keep tabs on your
+IT infrastructure.
+
+Major benefits:
+
+- Gain a high-level view of the data you store
+- Detect unauthorized activity that might threaten your data
+
+## How it works
+
+The add-on is implemented as a Syslog service that collects activity data from Nutanix
+infrastructure and sends it to Netwrix Auditor using the Integration API.
+
+
+
+On a high level, the solution works as follows:
+
+1. An IT administrator configures the Integration API settings to enable data collection and storage
+ to Netwrix database for further reporting, search, etc.
+
+ It is recommended to create a dedicated monitoring plan in Netwrix Auditor and add a dedicated
+ item of **Integration** type to it — then you will be able to filter data in reports and search
+ results by monitoring plan/item name.
+
+2. On Nutanix side, the IT administrator prepares a dedicated user account for accessing Nutanix
+ Prism Central/Element and configures Syslog server (IP, port, etc.).
+3. The administrator opens the Settings.xml configuration file and specifies the necessary
+ parameters for add-on operation, Netwrix Auditor settings, etc. The add-on will operate as a
+ Syslog listener for Nutanix server.
+4. The administrator runs the Netwrix.IntegrationConfiguration.exe file and provides credentials to
+ connect to Prism Central server.
+5. The administrator selects the deployment scenario and runs the **install.ps1** PowerShell script
+ file to deploy and configure the add-on components on the target server.
+6. In particular, the script deploys and starts **Netwrix Auditor Add-on for Nutanix AHV** Windows
+ Service— this is the main add-on component, responsible for audit data collection and forwarding.
+7. The add-on starts collecting and forwarding activity data from Nutanix Prism server: it listens
+ to the specified UDP port and captures designated Syslog event messages and also collects
+ activity data using Nutanix REST API.
+
+Syslog event data communication is performed using UDP version of Syslog protocol. See the
+[Monitoring Scope](/docs/auditor/10.8/addon/nutanixahv/monitoredevents.md) topic for additional information on the default list of
+events supported out-of-the box.
+
+8. The add-on processes the incoming Syslog messages and activity data collected using Nutanix REST
+ API into NAuditor -compatible format (Activity Records). Each Activity Record contains the
+ Who-What-When-Where-Action information (that is, initiator's account, time, action, and other
+ details).
+9. Using the Integration API, the add-on sends the activity records to Auditor Server that writes
+ them to the Audit Database and Long-Term Archive. Data is sent periodically, by default every
+ second.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the Activity
+Record structure and capabilities of the Integration API.
+
+10. Users open Auditor Client to work with collected data:
+ - Search for file changes using certain criteria
+ - Export data to PDF or CSV files
+ - Save search results as reports
+ - Subscribe to search results
+ - Configure and receive alerts
+
+## Add-on Delivery Package
+
+The add-on delivery package is a ZIP archive that includes the following files:
+
+| File name | Description |
+| -------------------------------------- | ------------------------------------------------------------------------------ |
+| Install.ps1 | PowerShell script that creates windows service to execute add-on. |
+| Settings.xml | Contains parameters for the add-on service operation. |
+| Netwrix.IntegrationConfiguration.exe | Add-on component responsible for accessing Prism Central server. |
+| Netwrix.Nutanix.IntegrationService.exe | Main add-on component, responsible for audit data collection from Nutanix AHV. |
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| Where | Prerequisite to check |
+| ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Auditor Server side | - Auditor version 9.9 or later. - Netwrix Integration API and Audit Database settings are configured properly in Netwrix Auditor. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The **TCP 9699** port must be open on Windows firewall for inbound connections. - User account under which data will be written to the Audit Database requires the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant it the **Global administrator** role, or add that account to the **Netwrix Auditor Administrators** group. |
+| The machine where the add-on will be installed | - Any of the following Windows OS versions: - Windows Server 2012 R2 (or later) - Windows 8.1 (or later) - The **UDP** port must be open on Windows firewall for inbound connections. - .NET Framework versions 4.5 or later |
+| Nutanix Prism server | Nutanix AOS 5.11, 5.15, or 5.20 |
+
+### Accounts and rights
+
+It is recommended to create a dedicated account for running **install.ps1** and **Netwrix Auditor
+Add-on for Nutanix AHV** (main service of the solution). The service will connect to Auditor Server
+using this account, so at least the **Contributor** role in Auditor is required for it. See the
+[Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional
+information.
+
+This service account requires the **User Admin** role in Nutanix Prism. You will be prompted for the
+corresponding set of credentials when you run the **install.ps1** script (see Steps 4 and 5 of the
+[Deploy the Add-On](/docs/auditor/10.8/addon/nutanixahv/install.md)). User name and password for connection to Nutanix Prism server will
+be then encrypted and stored in the solution configuration.
+
+### Considerations and limitations
+
+- By default, the add-on is targeted at a single Nutanix Prism Central/Element server.
+- Netwrix add-on must be deployed in the same subnet as Nutanix Prism Central/Element server.
+- Please be aware that monitoring of actions performed on the add-on installation server is not
+ supported.
+
+### Upgrade Path
+
+To upgrade from versions released earlier than August 2020, do the following:
+
+1. Stop and remove the **Netwrix Auditor Add-on for Nutanix AHV** service.
+2. Download and unpack the new add-on package to the same location as the earlier version.
+3. Run the **install.ps1** PowerShell script file from the new add-on version on the target server.
+
+## Compatibility notice
+
+The add-on is compatible with Nutanix AOS 5.15 and Nutanix AOS 5.20, and with Auditor 10.0 and
+later.
diff --git a/docs/auditor/10.8/addon/nutanixahv/troubleshooting.md b/docs/auditor/10.8/addon/nutanixahv/troubleshooting.md
new file mode 100644
index 0000000000..2f539f51c8
--- /dev/null
+++ b/docs/auditor/10.8/addon/nutanixahv/troubleshooting.md
@@ -0,0 +1,36 @@
+---
+title: "Maintenance and Troubleshooting"
+description: "Maintenance and Troubleshooting"
+sidebar_position: 50
+---
+
+# Maintenance and Troubleshooting
+
+If you cannot see collected data in Auditor, check the following:
+
+- Service account has sufficient rights to access Auditor.
+- In Auditor settings, go to the **Integrations** section and make sure the **Leverage Integration
+ API** is switched to **ON**. Check the communication port number – default is **9699**.
+- If you configured a dedicated monitoring plan, make sure data source monitoring is enabled.
+- Verify the parameters you provided in **settings.xml**.
+
+Also, remember that events from the remote Syslog server (add-on installation server) are not
+collected.
+
+Currently, the add-on supports only one Prism installation (Central or Element). To monitor more
+than one Prism Central/Element, you can copy the add-on to another folder, configure
+**settings.xml** as described in this document and modify **install.ps1** to rename the service:
+
+**Step 1 –** Deploy one more add-on instance to the server where the first add-on instance is
+already installed. Be sure to use a different installation folder.
+
+**Step 2 –** Open **settings.xml** and configure the new add-on instance to work with the second
+Prism server.
+
+**Step 3 –** Open **install.ps1** for the new add-on for edit.
+
+**Step 4 –** Modify the default service name:
+
+`$name = "enter_new_name"`
+
+**Step 5 –** Save and then launch the updated **install.ps1** file.
diff --git a/docs/auditor/10.8/addon/okta/_category_.json b/docs/auditor/10.8/addon/okta/_category_.json
new file mode 100644
index 0000000000..2afb7db6d8
--- /dev/null
+++ b/docs/auditor/10.8/addon/okta/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Okta",
+ "position": 160,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/okta/collecteddata.md b/docs/auditor/10.8/addon/okta/collecteddata.md
new file mode 100644
index 0000000000..b1a1a285ae
--- /dev/null
+++ b/docs/auditor/10.8/addon/okta/collecteddata.md
@@ -0,0 +1,32 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 20
+---
+
+# Work with Collected Data
+
+To leverage data collected with the add-on, you can do the following in Auditor:
+
+- Search for required data. For that, start Auditor client and navigate to **Search**. After
+ specifying the criteria you need, click **Search**. You will get a list of activity records with
+ detailed information on who did what in the reported time period.
+
+You can apply a filter to narrow down your search results to the Netwrix **API** data source only.
+
+
+
+- Also, you can click **Tools** in the upper-right corner and select the command you need. For
+ example:
+ - If you want to periodically receive the report on the results of search with the specified
+ criteria, click **Subscribe**. Then specify how you want the report to be delivered – as an
+ email or as a file stored to the file share.
+ - To create an alert on the specific occurrences, click **Create alert**.
+ - To export filtered data to PDF or CSV, click **Export data**.
+- You can also configure and receive alerts on the events you are interested in.
+
+See the following topics for additional information:
+
+- [Alerts](/docs/auditor/10.8/admin/alertsettings/overview.md)
+- [View and Search Collected Data](/docs/auditor/10.8/admin/search/overview.md)
+- [Subscriptions](/docs/auditor/10.8/admin/subscriptions/overview.md)
diff --git a/docs/auditor/10.8/addon/okta/deployment.md b/docs/auditor/10.8/addon/okta/deployment.md
new file mode 100644
index 0000000000..d42d6f09b9
--- /dev/null
+++ b/docs/auditor/10.8/addon/okta/deployment.md
@@ -0,0 +1,23 @@
+---
+title: "Deploy the Add-On"
+description: "Deploy the Add-On"
+sidebar_position: 10
+---
+
+# Deploy the Add-On
+
+Follow the steps to deploy the Add-On.
+
+**Step 1 –** Download the distribution package **Netwrix_Auditor_Add-on_for_Okta.zip**.
+
+**Step 2 –** Unpack it to a folder on the computer where you plan to deploy the add-on.
+
+_Remember,_ deploying the add-on on the same machine with the Auditor Server.
+
+**Step 3 –** Run the **NetwrixOktaAddon.exe** and follow the installation steps:
+
+| Option | Description |
+| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Okta Connection Settings | Specify server address in the '_https://example.okta.com/_' format and SSWS token. |
+| Netwrix Connection Settings | Specify settings to connect to Auditor: - Server address – provide the address of the Auditor Server host. - Username – Provide the name of the account used to connect to Auditor. - Password – Provide password for this account. |
+| Summary | Review the Add-On settings. |
diff --git a/docs/auditor/10.8/addon/okta/overview.md b/docs/auditor/10.8/addon/okta/overview.md
new file mode 100644
index 0000000000..a2ff9d2676
--- /dev/null
+++ b/docs/auditor/10.8/addon/okta/overview.md
@@ -0,0 +1,56 @@
+---
+title: "Okta"
+description: "Okta"
+sidebar_position: 160
+---
+
+# Okta
+
+The add-on works in collaboration with Netwrix Auditor, supplying data about activity on your
+Okta-based devices. Aggregating data into a single audit trail simplifies analysis, makes activity
+monitoring more cost effective, and helps you keep tabs on your IT infrastructure.
+
+Implemented as a service, this add-on facilitates the data transition from Okta-based systems to
+Netwrix Auditor. All you have to do is provide connect ion details and specify parsing rules.
+
+On a high level, the add-on works as follows:
+
+1. The add-on listens to the specified UDP ports and captures designated Syslog messages.
+2. The add-on processes these events into Netwrix Auditor-compatible format (Activity Records). Each
+ Activity Record contains the user account, action, time, and other details.
+3. Using the Integration API, the add-on sends the activity records to the Netwrix Auditor Server,
+ which writes them to the Long-Term Archive and the Audit Database.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the NIntegration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor Server side | - .NET Framework [4.5](https://www.microsoft.com/en-us/download/details.aspx?id=30653) or later is installed. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. |
+
+### Accounts and Rights
+
+By default, the add-on will run under the _Local System_ account. So, if the add-on and Auditor will
+be running on different machines, the corresponding computer account will require at least the
+**Contributor** role in Auditor. See the
+[Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional
+information.
+
+In case the add-on and Auditor are installed on the same server, no special settings are needed.
+
+### Considerations and Limitations
+
+- The Add-On must be deployed in the same subnet as Okta and Auditor.
+- If the monitoring plan name in the _``_ add-on configuration parameter is
+ specified incorrectly, this may lead to temp files generation and, therefore, to inefficient disk
+ space usage.
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
diff --git a/docs/auditor/10.8/addon/overview.md b/docs/auditor/10.8/addon/overview.md
new file mode 100644
index 0000000000..8f3b2033a5
--- /dev/null
+++ b/docs/auditor/10.8/addon/overview.md
@@ -0,0 +1,81 @@
+---
+title: "Add-Ons"
+description: "Add-Ons"
+sidebar_position: 80
+---
+
+# Add-Ons
+
+The [Netwrix Auditor Add-on Store](https://www.netwrix.com/netwrix_addons.html) contains free
+add-ons developed by Netwrix and your peers in the community. The add-ons help you leverage
+integration between your on-premises or cloud applications and Netwrix Auditor.
+
+The list of available add-ons keeps growing because with the new RESTful API, the integration
+capabilities of Netwrix Auditor are unlimited. Netwrix encourages users to develop add-ons, upload
+them to Netwrix website, and share with community.
+
+Benefits:
+
+- Centralize auditing and reporting of your IT environment — Netwrix unifies auditing of all IT
+ systems across your on-premises, cloud or hybrid environment, and enables centralized reporting
+ for security and compliance.
+- Get the most from your SIEM investment — To maximize SIEM value, Netwrix increases the
+ signal-to-noise ratio and feeds your HP ArcSight, Splunk, IBM QRadar or any other SIEM solution
+ with much more granular audit data.
+- Automate your IT workflows — Automate and improve your change management, service desk and other
+ critical IT workflows by feeding them audit data from Netwrix.
+
+Review the following for additional information:
+
+- Available Add-Ons
+- Use Add-Ons
+
+## Available Add-Ons
+
+The following add-ons were verified and posted in Add-ons Store. You can get add-ons within the
+product. To do so, navigate to **Settings > Integrations** and click **Go to add-on store** button.
+The following menu will appear:
+
+
+
+Netwrix Auditor Integration API uses HTTPS with an automatically generated certificate for running
+requests to its endpoints. By default, add-ons are configured to accept all certificates that is
+appropriate for evaluation purposes and allows running the script without adjusting.
+
+Refer to [Security](/docs/auditor/10.8/api/security.md) for detailed instructions on how to assign a new certificate
+and enable trust on remote computers.
+
+## Use Add-Ons
+
+Before your start working with the add-on, go through its quick-start guide at
+[Netwrix Documentation page](https://www.netwrix.com/documentation.html#netwrix-documentation-page).
+Each guide contains detailed instructions for deploying and running the add-on, as well as
+prerequisites and configuration settings. Generic steps are described below.
+
+Follow the steps to use the add-on.
+
+**Step 1 –** Check prerequisites. Since the add-ons work only in combination with Netwrix Auditor,
+make sure that Netwrix Auidtor and its Audit Database are configured, and roles are assigned
+properly.
+
+**Step 2 –** Specify parameters required for add-on operation. Before running or scheduling the
+add-on, you should define configuration details like Netwrix Auditor Server host, user credentials,
+etc.
+
+**Step 3 –** Choose appropriate deployment scenario, then install and start the add-on. For example,
+if the add-on is implemented as a service, you will need to run the installation file that will
+deploy and start that service automatically.
+
+**Step 4 –** If you are using a PowerShell-based add-on, run it from a command line: start Windows
+PowerShell and provide parameters. First, provide a path to your add-on followed by script
+parameters with their values. Each parameter is preceded with a dash; a space separates a parameter
+name from its value. You can skip some parameters—the script uses a default value unless a parameter
+is explicitly defined. If necessary, modify the parameters as required.
+
+**Step 5 –** Review the add-on operation results. For example, if you are using the add-on that
+imports data to Netwrix Auditor, you can search Activity Records in the Netwrix Auditor client.
+
+
+
+**Step 6 –** (optional) For PowerShell based add-ons, you can schedule a daily task to ensure your
+audit data is always up-to-date.
diff --git a/docs/auditor/10.8/addon/privilegeduserlinux/_category_.json b/docs/auditor/10.8/addon/privilegeduserlinux/_category_.json
new file mode 100644
index 0000000000..7b2baca527
--- /dev/null
+++ b/docs/auditor/10.8/addon/privilegeduserlinux/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Privileged User Monitoring on Linux and Unix Systems",
+ "position": 170,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/privilegeduserlinux/collecteddata.md b/docs/auditor/10.8/addon/privilegeduserlinux/collecteddata.md
new file mode 100644
index 0000000000..6e78bcc77c
--- /dev/null
+++ b/docs/auditor/10.8/addon/privilegeduserlinux/collecteddata.md
@@ -0,0 +1,16 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 30
+---
+
+# Work with Collected Data
+
+Follow the steps to work with collected data:
+
+**Step 1 –** Start the Auditor client and navigate to **Search**.
+
+**Step 2 –** Click **Search**.
+
+**NOTE:** You might want to apply a filter to narrow down your search results to the NetwrixAPI data
+source only.
diff --git a/docs/auditor/10.8/addon/privilegeduserlinux/install.md b/docs/auditor/10.8/addon/privilegeduserlinux/install.md
new file mode 100644
index 0000000000..217adeb16b
--- /dev/null
+++ b/docs/auditor/10.8/addon/privilegeduserlinux/install.md
@@ -0,0 +1,24 @@
+---
+title: "Install the Add-On"
+description: "Install the Add-On"
+sidebar_position: 10
+---
+
+# Install the Add-On
+
+To install the Add-On, perform the following steps:
+
+**Step 1 –** Navigate to your add-on package.
+
+**Step 2 –** Unzip the Add-On to a desired folder.
+
+**Step 3 –** Run the installation package.
+
+**Step 4 –** Accept the license agreement and follow the instructions of the setup wizard.
+
+**Step 5 –** On the **Destination Folder** step, specify the installation folder (_C:\Program Files
+(x86)\Netwrix Add-ons\_ by default).
+
+**Step 6 –** Click **Install**.
+
+**Step 7 –** When done, click **Finish**.
diff --git a/docs/auditor/10.8/addon/privilegeduserlinux/overview.md b/docs/auditor/10.8/addon/privilegeduserlinux/overview.md
new file mode 100644
index 0000000000..db66bfffc3
--- /dev/null
+++ b/docs/auditor/10.8/addon/privilegeduserlinux/overview.md
@@ -0,0 +1,41 @@
+---
+title: "Privileged User Monitoring on Linux and Unix Systems"
+description: "Privileged User Monitoring on Linux and Unix Systems"
+sidebar_position: 170
+---
+
+# Privileged User Monitoring on Linux and Unix Systems
+
+The add-on works in collaboration with Auditor, supplying data about privileged user activity on
+Linux and Unix. Aggregating data into a single audit trail simplifies analysis, makes activity
+monitoring more cost effective, and helps you keep tabs on privilege elevation on your Linux and
+Unix-based devices. For example, it helps monitor the usage of SUDO as well as remote access with
+openSSH.
+
+On a high level, the add-on works as follows:
+
+1. The add-on listens to the specified UDP ports and captures designated Syslog messages.
+
+ Out of the box, messages from Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise Server 12,
+ openSUSE 42, and Ubuntu 16 are supported. For other distributions, deployment of the rsyslog
+ package may be required. You can edit the add-on configuration to extend the captured message
+ list.
+
+2. The add-on processes these events into Auditor-compatible format (Activity Records). Each
+ Activity Record contains the user account, action, time, and other details.
+3. Using the Integration API, the add-on sends the activity records Auditor Server, which writes
+ them to the Long-Term Archive and the Audit Database.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor Server side | - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP **9699** port (default Integration API port) is open for inbound connections. - The user writing data to the Audit Database is granted the **Contributor** role in Auditor. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the **Global administrator** role or add the user to the **Netwrix Auditor Administrators** group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the service will be installed | - The UDP 514 port is open for inbound connections. - .Net Framework 4.7.2 and above is installed. Review the following Microsoft technical article for additional information on how to install .Net Framework 4.7.2: [Microsoft .NET Framework 4.7.2 offline installer for Windows](https://support.microsoft.com/en-us/topic/microsoft-net-framework-4-7-2-offline-installer-for-windows-05a72734-2127-a15d-50cf-daf56d5faec2). |
+| The target syslog-based platform | The **Syslog daemon** is configured to redirect events. The procedure below explains how to configure redirection: **NOTE:** Red Hat Enterprise Linux 7 and 6, SUSE Linux Enterprise Server 12, openSUSE 42, and Ubuntu 16 are supported out of the box. For other distributions, deployment of rsyslog package may be required. - On Red Hat Enterprise Linux 7: 1. Open the **/etc/rsyslog.conf** file. 2. Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where `name `is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_ SyslogProtocol23Format` 3. Launch the **RHEL console** and execute the following command: `service rsyslog restart`. - On Ubuntu 16: 1. Navigate to the **/etc/rsyslog.d/50-default.conf** file. 2. Add the following line: `auth.*;authpriv.* @name:514;RSYSLOG_SyslogProtocol23Format` where `name `is a FQDN, NetBIOS name or IP address of the computer where Netwrix Auditor Server is installed. For example: `auth.*;authpriv.* @172.28.18.25:514;RSYSLOG_ SyslogProtocol23Format` 3. Launch the **UBUNTU console** and execute the following command: `service rsyslog restart`. |
+
+See the the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the
+structure of the Activity Record and the capabilities of the Integration API
diff --git a/docs/auditor/10.8/addon/privilegeduserlinux/parameters.md b/docs/auditor/10.8/addon/privilegeduserlinux/parameters.md
new file mode 100644
index 0000000000..b1ac95042d
--- /dev/null
+++ b/docs/auditor/10.8/addon/privilegeduserlinux/parameters.md
@@ -0,0 +1,30 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 20
+---
+
+# Define Parameters
+
+The configuration wizard opens in the default web browser:
+
+
+
+Click **Proceed** and complete the following fields:
+
+| Option | Description |
+| ------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Specify General Settings | |
+| Listed UDP port | Specify UDP port for listening incoming events. (**514** by default). |
+| Auditor Endpoint | Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hostingAuditor Server and uses default port _9699_. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15_, _EnterpriseNAServer_, _WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.ent erprise.local:9999_). Do not modify the endpoint part (_/ netwrix/ api_ ) |
+| Certificate Thumbprint | Netwrix Auditor Certificate Thumbprint Property. Possible values: - `Empty`—Check Auditor certificate via Windows Certificate Store. - `AB:BB:CC`—Check Auditor Server certificate thumbprint identifier. - `NOCHECK`—Do not check Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
+| Specify Active Directory credentials | |
+| Username | Provide the name of the account under which the service runs. Unless specified, the service runs under the account currently logged on. |
+| Password | Provide the password for the selected account. |
+| Auditor Monitoring Plan settings | |
+| Auditor Plan | Unless specified, data is written to **Netwrix_Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add- on, make sure a dedicated plan is created in Auditor, the Netwrix **API** data source is added to the plan and enabled for monitoring. Otherwise, the add- on will not be able to write data to the Audit Database. |
+| Auditor Plan Item | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item inAuditor in advance. |
+| Accept List | |
+| Address | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. |
+
+Click **Run** to start collecting data with the Add-On.
diff --git a/docs/auditor/10.8/addon/qumulo/_category_.json b/docs/auditor/10.8/addon/qumulo/_category_.json
new file mode 100644
index 0000000000..1fd58ebbda
--- /dev/null
+++ b/docs/auditor/10.8/addon/qumulo/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Qumulo",
+ "position": 180,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/qumulo/collecteddata.md b/docs/auditor/10.8/addon/qumulo/collecteddata.md
new file mode 100644
index 0000000000..009f4bda0f
--- /dev/null
+++ b/docs/auditor/10.8/addon/qumulo/collecteddata.md
@@ -0,0 +1,27 @@
+---
+title: "Working with Collected Data"
+description: "Working with Collected Data"
+sidebar_position: 20
+---
+
+# Working with Collected Data
+
+To leverage data collected with the add-on, you can do the following in Netwrix Auditor:
+
+- Search for required data. For that, start Netwrix Auditor client and navigate to **Search**. After
+ specifying the criteria you need, click **Search**. You will get a list of activity records with
+ detailed information on who did what in the reported time period.
+
+You might want to apply a filter to narrow down your search results to the Netwrix API data source
+only.
+
+
+
+- Also, you can click **Tools** in the upper-right corner and select the command you need. For
+ example:
+ - If you want to periodically receive the report on the results of search with the specified
+ criteria, click **Subscribe**. Then specify how you want the report to be delivered – as an
+ email or as a file stored to the file share.
+ - To create an alert on the specific occurrences, click **Create alert**.
+ - To export filtered data to PDF or CSV, click **Export data**.
+- You can also configure and receive alerts on the events you are interested in.
diff --git a/docs/auditor/10.8/addon/qumulo/deployment.md b/docs/auditor/10.8/addon/qumulo/deployment.md
new file mode 100644
index 0000000000..f158699558
--- /dev/null
+++ b/docs/auditor/10.8/addon/qumulo/deployment.md
@@ -0,0 +1,24 @@
+---
+title: "Deployment Scenarios"
+description: "Deployment Scenarios"
+sidebar_position: 10
+---
+
+# Deployment Scenarios
+
+The Add-On can run on any computer in your environment. For example, you can run the add-on on the
+computer where Auditor is installed, or on a remote server. Depending on the deployment scenario you
+choose, you will need to define a different set of parameters
+
+Netwrix suggests the following scenarios:
+
+| Scenario | Example: Parameters updated in default settings.xml |
+| -------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The add-on runs on the Netwrix Auditor Server with the current user credentials. | `172.28.4.15` `172.28.3.18` |
+| The add-on runs on the Netwrix Auditor Server with the explicitly specified user credentials. | `SecurityOfficer` `` `NetwrixUser` `` `172.28.4.15` |
+| The add-on runs on a remote computer. Data is written to a remote Netwrix Auditor repository with the current user credentials. | ` https://172.28.6.19:9699/netwrix/api/v1/activity_records` `172.28.4.15` |
+| The add-on runs on a remote computer. Data is written to a remote Netwrix Auditor repository with the explicitly specified user credentials. | ` https://172.28.6.19:9699/netwrix/api/v1/activity_records` `NetwrixUser` `` `NetwrixIsCool` `` `172.28.4.15` |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/qumulo/monitoringscope.md b/docs/auditor/10.8/addon/qumulo/monitoringscope.md
new file mode 100644
index 0000000000..0be7ed09af
--- /dev/null
+++ b/docs/auditor/10.8/addon/qumulo/monitoringscope.md
@@ -0,0 +1,34 @@
+---
+title: "Monitoring Scope"
+description: "Monitoring Scope"
+sidebar_position: 40
+---
+
+# Monitoring Scope
+
+Review a full list of all events Netwrix Auditor can collect on Qumulo Cluster.
+
+| Event | Description |
+| -------------------------------------- | -------------------------------------------------------------------- |
+| fs_create_directory | A new directory was created. |
+| fs_create_file | A new file was created. |
+| fs_create_hard_link | A new hard link was created. |
+| fs_create | A filetype other than one of the types captured above was created. |
+| fs_delete | An entity (file, link, directory) was deleted from the file storage. |
+| fs_rename | An entity (file, link, directory) from the file storage was renamed. |
+| fs_read_data | Read operation was performed. |
+| fs_write_data | Write operation was performed. |
+| fs_write_metadata | Write operation was performed (metadata was written). |
+| nfs_create_export | Created NFS Export that the client will mount to. |
+| nfs_delete_export | Removed NFS Export that the client will mount to. |
+| nfs_modify_export | Modified NFS Export that the client will mount to. |
+| nfs_mount | Mount to NFS share. |
+| replication_create_source_relationship | A replication object was created. |
+| replication_delete_source_relationship | A replication object was deleted. |
+| replication_modify_source_relationship | A replication object was modified. |
+| smb_create_share | A new SMB file share was created. |
+| smb_delete_share | An SMB file share was deleted. |
+| smb_modify_share | An SMB file share was modified. |
+| snapshot_create_snapshot | A snapshot was created. |
+| snapshot_delete_snapshot | A snapshot was deleted. |
+| snapshot_modify_snapshot | A snapshot was modified. |
diff --git a/docs/auditor/10.8/addon/qumulo/overview.md b/docs/auditor/10.8/addon/qumulo/overview.md
new file mode 100644
index 0000000000..4f343434fb
--- /dev/null
+++ b/docs/auditor/10.8/addon/qumulo/overview.md
@@ -0,0 +1,122 @@
+---
+title: "Qumulo"
+description: "Qumulo"
+sidebar_position: 180
+---
+
+# Qumulo
+
+**Netwrix Auditor** is a visibility platform for user behavior analysis and risk mitigation that
+enables control over changes, configurations and access in hybrid IT environments to protect data
+regardless of its location. The platform provides security analytics to detect anomalies in user
+behavior and investigate threat patterns before a data breach occurs.
+
+Qumulo Hybrid Cloud File Storage delivers real-time visibility, scale, and control of data across
+on-prem and cloud. Qumulo customers understand storage at a granular level; programmatically
+configure and manage usage, capacity, and performance; and are continuously delighted with new
+capabilities, 100% usable capacity and direct access to experts. More information at
+[www.qumulo.com](http://www.qumulo.com/).
+
+To control who does what in the IT infrastructure that includes Qumulo Hybrid Cloud File Storage,
+organizations need to monitor file-related activity. A typical case is when a user has renamed a
+directory at the top level, and other users are unable to locate their files anymore. Thus, IT
+specialists require a way to monitor, search and get notifications on certain file activity so that
+they can take corrective measures.
+
+For that purpose, you can use a specially designed Netwrix Auditor add-on for Qumulo. It works in
+collaboration with Netwrix Auditor, supplying data about file operations on your Qumulo Cluster to
+Netwrix database. Aggregating data into a single audit trail simplifies analysis, makes activity
+monitoring more cost-effective, and helps you keep tabs on your IT infrastructure.
+
+Major benefits:
+
+- Gain a high-level view of the data you store
+- Detect unauthorized activity that might threaten your data
+
+## How it Works
+
+The add-on is implemented as a Syslog service that collects activity data from Qumulo Cluster and
+sends it to Auditor using the Integration API.
+
+
+
+On a high level, the solution works as follows:
+
+1. An IT administrator configures the Integration API settings to enable data collection and storage
+ to the Netwrix database for further reporting, search, etc.
+
+ It is recommended to create a dedicated monitoring plan in Netwrix Auditor and add a dedicated
+ item of **Integration** type to it — then you will be able to filter data in reports and search
+ results by monitoring plan/item name.
+
+2. On the Qumulo side, the IT administrator prepares Syslog configuration settings.
+3. Then the administrator opens the settings.xml configuration file and specifies the necessary
+ parameters for add-on operation, including Qumulo Cluster as the source of Syslog messages,
+ Auditor settings, etc. The add-on will operate as a Syslog listener for the Qumulo Cluster.
+4. The add-on starts collecting and forwarding activity data: it listens to the specified TCP port
+ and captures the designated Syslog messages. Data communication is performed using the TCP
+ version of Syslog protocol.
+5. The add-on processes these Syslog messages into Auditor-compatible format (Activity Records).
+ Each Activity Record contains the "Who-What-When-Where-Action" information (that is, initiator's
+ account, time, action, and other details).
+6. Using the Integration API, the add-on sends the activity records to Auditor Server that writes
+ them to the **Netwrix_Auditor_API** database (SQL server database) and file-based Long-Term
+ Archive. Data is sent periodically, by default every 5 seconds. For more information on the
+ Activity Record structure and capabilities of the Integration API, refer to the
+ [Integration API](/docs/auditor/10.8/api/overview.md) topic.
+7. Users open Auditor Client to work with collected data:
+ - Search for file changes using certain criteria
+ - Export data to PDF or CSV files
+ - Save search results as reports
+ - Subscribe to search results
+ - Configure and receive alerts
+
+### Add-on Delivery Package
+
+The add=on delivery package is a ZIP archive that includes the following files:
+
+| File name | Description |
+| ------------------------ | ---------------------------------------------------------------------------- |
+| install.cmd | Command file that installs and enables Netwrix Syslog service. |
+| settings.xml | Contains parameters for the add-on service operation. |
+| SyslogService.exe | The Syslog service – main add-on component, implemented as a Syslog service. |
+| SyslogService.exe.config | Add-on configuration data. |
+
+You will also need the **qumulo.xml** file that contains rules for processing Qumulo events. This
+file is shipped separately.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| Where | Prerequisite to check |
+| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor Server side | - Auditor version is 9.96 or higher. - Integration API settings and **Netwrix_Auditor_API** database are configured properly. See [Configure Integration API](https://helpcenter.netwrix.com/API/API_Configuration.html) and [Audit Database](https://helpcenter.netwrix.com/Settings/Audit_Database_settings/Default_Audit_Database_Settings.html). - The **TCP 9699** port must be open on Windows firewall for inbound connections. - User account under which data will be written to **Netwrix_Auditor_API** database requires the _Contributor_ role in Netwrix Auditor. See [Role-Based Access and Delegation](https://helpcenter.netwrix.com/Roles/Role_Based_Access.html). Alternatively, you can grant it the **Global administrator** role, or add that account to the _Netwrix Auditor Administrators_ group. |
+| The machine where the add-on will be installed | - The **TCP 9905** port must be open on Windows firewall for inbound connections. - .NET Framework 4.5 or later must be installed. |
+| Qumulo Cluster | Qumulo core version 3.0.5. |
+
+### Accounts and rights
+
+It is recommended to create a dedicated account for running **install.cmd** and
+**SyslogService.exe**. The service will connect to Auditor Server using this account, so at least
+the **Contributor** role in Auditor is required for it. See
+[Role-Based Access and Delegation](https://helpcenter.netwrix.com/Roles/Role_Based_Access.html) for
+more information.
+
+### Considerations and limitations
+
+- For events received with NFS3 protocol, the _posix uid_ will be displayed instead of the
+ initiator's account name in the "_Who_" field of the Auditor search results and activity
+ summaries.
+- If the initiator's account name could not be resolved, then Windows SID or Qumulo auth ID will be
+ displayed in the the "_Who_" field of the search results and activity summaries.
+- Currently, not every detail about permission and attribute changes may be provided by Qumulo
+ Cluster, so they cannot be reported by Auditor.
+- If the monitoring plan name in the add-on configuration parameter is specified incorrectly, this
+ may lead to temp files generation and, therefore, to inefficient disk space usage.
+
+## Compatibility Notice
+
+(Undefined variable: Add-on.Addon_Qumulo) is compatible with Qumulo core 3.0.5 and with Netwrix
+Auditor 9.96 and later.
diff --git a/docs/auditor/10.8/addon/qumulo/parameters.md b/docs/auditor/10.8/addon/qumulo/parameters.md
new file mode 100644
index 0000000000..e6270f05b3
--- /dev/null
+++ b/docs/auditor/10.8/addon/qumulo/parameters.md
@@ -0,0 +1,63 @@
+---
+title: "Add-On Parameters"
+description: "Add-On Parameters"
+sidebar_position: 30
+---
+
+# Add-On Parameters
+
+To configure the add-on parameters, you need to edit the **settings.xml** file in the add-on folder.
+You must define connection details: Netwrix Auditor Server host, user credentials, etc.
+
+Most parameters are optional, the service uses the default values unless parameters are explicitly
+defined (`\*\*\_value_\*\*`). You can skip or define parameters depending on
+your execution scenario and security policies.
+
+Parameters in **settings.xml** can be grouped as follows:
+
+- General parameters that affect add- on execution. They are listed in the table below.
+- Settings for a certain event source (within the _Source_ section) that can override general
+ settings.
+- Internal parameters that should not be modified in most cases. They are listed in .
+
+| Parameter | Default value | Description |
+| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General parameters | | |
+| ListenTcpPort | 9905 | Specify TCP port for listening incoming syslog events. |
+| NetwrixAuditorEndpoint | https://localhost: 9699/netwrix/api/ v1/activity_records | Netwrix Auditor Server IP address and port number followed by endpoint for posting Activity Records. Assumes that the add-on runs on the computer hosting Auditor Server and uses default port **9699**. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15, EnterpriseNAServer, WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.enterprise.local:9999_). Do not modify the endpoint part (/netwrix/api . . . . ) |
+| NetwrixAuditor CertificateThumbprint | NOCHECK | Netwrix Auditor Certificate Thumbprint Property. Possible values: - `Empty`—Check Netwrix Auditor certificate via Windows Certificate Store. - `AB:BB:CC.`—Check Netwrix Auditor Server certificate thumbprint identifier. - `NOCHECK`—Do not check Netwrix Auditor certificate. Make sure to select this parameter if you plan to specify servers by their IP. |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. The account must be assigned the Contributor role in Netwrix Auditor. |
+| NetwrixAuditorUserPassword | Current user credentials | Unless specified, the service runs with the current user credentials. Provide a different password if necessary. |
+| NetwrixAuditorDateTimeFormat | yyyy-MM-ddTHH:mm:ssZ | Netwrix Auditor time format. By default, set to zero offset. |
+| NetwrixAuditorPlan | — | Unless specified, data is written to Netwrix_Auditor_API database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. If you select a plan name in the add-on, make sure a dedicated plan is created in Auditor, the Netwrix API data source is added to the plan and enabled for monitoring. Otherwise, the add-on will not be able to write data to the Audit Database. |
+| NetwrixAuditorPlanItem | — | Unless specified, data is not associated with a specific plan and, thus, cannot be filtered by item name. Specify an item name. Make sure to create a dedicated item in Netwrix Auditor in advance. |
+| EventStorePath | — | Select where to store temporary files of syslog messages before the add-on sends them to Netwrix Auditor Server. Netwrix recommends not to store these files out of the service directory. |
+| LogLevel | error | Specify logging level: - none - info - warning - error (used by default) - debug |
+| WriteCriticalIssues ToEventLog | 0 | Instructs the add-on to write important events (like service start or critical issue) not only to its own log but also to Netwrix event log. - 1=yes - 0=no (default) |
+| Parameters within SourceList You can specify parsing rules for each specific event source and define parameters to override general settings, such as time zone, default plan name, etc. | | |
+| NetwrixAuditorPlan | — | When specified, overrides the general settings. |
+| NetwrixAuditorPlanItem | — | When specified, overrides the general settings. |
+| DefaultTsTimezone | — | Define the time zone of syslog events. By default, set to zero offset (UTC). |
+| AppNameRegExp | — | Define a custom regular expression pattern to retrieve the application name from your syslog messages. Unless specified, RFC 3164/5424 format is used. If you provide a pattern for application name, this name will be used to determine what rule file will be used to parse syslog messages. The pattern you provide here must match the application name in your custom rule file. |
+| AppNameGroupID | — | Define application name value by Group ID only if messages are not formatted in accordance with RFC 3164/5424. Otherwise, leave the default value. |
+| RuleFileList PathFile | qumulo.xml | Specify paths to XML file(s) with regular expression parsing rules. You can create a custom file or use rules provided out of the box. Currently, the **qumulo.xml** rules file is provided by Qumulo. You can specify several rule files. The service will check if the AppName parameter in the first rule file matches the **AppNameRegExp** and **AppNameGroupID** regular expression in this file. If not, the service will proceed to the next rule file. |
+| AcceptList Address | — | Specify a list of IP addresses of syslog events sources. The service will collect and process events from these sources only. Events collected from any other source will be ignored. The Address parameter may be followed by optional attributes that override parameters specified above: - naplan—A name of associated monitoring plan - naplanitem—A name of associated item - tstimezone—Timezone for Qumulo Cluster For example: `172.28.3.15 ` |
+
+After you modify parameters in the **settings.xml** file, remember to save the changes and then
+restart (Undefined variable: Add-on.Addon_Qumulo) service (**SyslogService.exe**) for them to take
+effect.
+
+## Add-on Internal Parameters
+
+Internal parameters listed in the table below are intended for performance tuning. In most cases the
+default values should be used.
+
+| Parameter | Default value | Description |
+| --------------------- | ------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| EventsFromMemoryFirst | 1 | Instructs the add-on to save events to temporary storage only if there is no free space in queues: - 1=yes - 0=no |
+| ConcurrentSend | -1 | Specifies number of threads for concurrent forwarding of events to Auditor. Default value is -1 (switch off concurrent forwarding). |
+| ListenTcpAddress | 0.0.0.0 | Defines destination IP address. In case of multiple network cards, you can specify certain IP address here to listen to its messages only. |
+| SenderSleepTime | 30 | Specifies retry interval in seconds to send messages to Auditor (30 - 3600 seconds). |
+| TaskLimit | 8 | Specifies number of threads and queues for concurrent handling of events. |
+| QueueSizeLimit | 1000 | Specifies maximum number of events to keep in queue before saving to temporary storage or sending to Netwrix API. |
+| QueueTimeLimit | 5 | Specifies the length of timeout before events from queue (not full) are saved to temporary storage or sent to Netwrix API: - From 5 to 300 — timeout in seconds. - -1 — disable timeout. |
diff --git a/docs/auditor/10.8/addon/qumulo/troubleshooting.md b/docs/auditor/10.8/addon/qumulo/troubleshooting.md
new file mode 100644
index 0000000000..0789031114
--- /dev/null
+++ b/docs/auditor/10.8/addon/qumulo/troubleshooting.md
@@ -0,0 +1,26 @@
+---
+title: "Maintenance and Troubleshooting"
+description: "Maintenance and Troubleshooting"
+sidebar_position: 50
+---
+
+# Maintenance and Troubleshooting
+
+(Undefined variable: Add-on.Addon_Qumulo) operations are logged into the **SyslogService.txt** file.
+This file is located in the same folder as **SyslogService.exe.**
+
+To change the add-on logging level, use the **LogLevel** parameter in the **settings.xml** file.
+
+- It is recommended that before the first run you set this parameter to `debug`. This will
+ facilitate operations tracking and possible problem solving.
+- After that it is strongly recommended to re-set this parameter to `error` (default value) to
+ prevent the uncontrolled log growth.
+
+If you cannot see collected data in Netwrix Auditor, check the following:
+
+1. Service account has sufficient rights to access Netwrix Auditor.
+2. In Netwrix Auditor settings, go to the **Integrations** section and make sure the **Leverage
+ Integration API** is switched to **ON**. Check the communication port number – default is
+ **9699**.
+3. If you configured a dedicated monitoring plan, make sure data source monitoring is enabled.
+4. Verify the parameters you provided in **settings.xml**.
diff --git a/docs/auditor/10.8/addon/radius/_category_.json b/docs/auditor/10.8/addon/radius/_category_.json
new file mode 100644
index 0000000000..54c8653cc0
--- /dev/null
+++ b/docs/auditor/10.8/addon/radius/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "RADIUS Server",
+ "position": 190,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/radius/automate.md b/docs/auditor/10.8/addon/radius/automate.md
new file mode 100644
index 0000000000..463df57654
--- /dev/null
+++ b/docs/auditor/10.8/addon/radius/automate.md
@@ -0,0 +1,36 @@
+---
+title: "Automate Add-On Execution"
+description: "Automate Add-On Execution"
+sidebar_position: 40
+---
+
+# Automate Add-On Execution
+
+To ensure you feed the most recent data to your SIEM solution, Netwrix recommends scheduling a daily
+task for running the add-on.
+
+**To create a scheduled task:**
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task
+Scheduler**.Select **Create Task**.
+
+**Step 2 –** On the **General** tab, specify a task name. Make sure the account that runs the task
+has all necessary rights and permissions.
+
+**Step 3 –** On the **Triggers** tab, click **New** and define the schedule. This option controls
+how often audit data is exported from Auditor and saved to event log. Netwrix recommends scheduling
+a daily task.
+
+**Step 4 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information:
+
+| Option | Value |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Action | Set to "_Start a program_". |
+| Program/script | Input "_Powershell.exe_". |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix*Auditor_Add-on_for_RADIUS* Server.ps1" -NetwrixAuditorHost 172.28.6.15 -RADIUSHost 172.28.6.16 |
+
+Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/radius/collecteddata.md b/docs/auditor/10.8/addon/radius/collecteddata.md
new file mode 100644
index 0000000000..be0186d42d
--- /dev/null
+++ b/docs/auditor/10.8/addon/radius/collecteddata.md
@@ -0,0 +1,21 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 50
+---
+
+# Work with Collected Data
+
+Auditor provides a convenient interface for reviewing RADIUS server logons. Once the script
+execution completed, you can start analyzing user activity data with Netwrix search.
+
+Follow the steps to see results.
+
+**Step 1 –** Start the Auditor client and navigate to Search.
+
+**Step 2 –** Click **Search**.
+
+
+
+**NOTE:** You might want to apply a filter to narrow down your search results to the RADIUS Logon
+object type only.
diff --git a/docs/auditor/10.8/addon/radius/customreport.md b/docs/auditor/10.8/addon/radius/customreport.md
new file mode 100644
index 0000000000..ab922ade8b
--- /dev/null
+++ b/docs/auditor/10.8/addon/radius/customreport.md
@@ -0,0 +1,32 @@
+---
+title: "Create Custom Report"
+description: "Create Custom Report"
+sidebar_position: 60
+---
+
+# Create Custom Report
+
+To speed up data review process and help you find the latest logons faster, Netwrix created an
+additional script, **Netwrix_Auditor_Saved_Search_for_RADIUS_Server_Logons.ps1**. It is shipped with
+the add-on and creates the RADIUS server logons since yesterday custom search-based report in the
+Auditor client.
+
+Follow the steps to create a custom report with the script.
+
+**Step 1 –** Copy the **Netwrix_Auditor_Saved_Search_for_RADIUS_Server_Logons.ps1** script to the
+Auditor Server.
+
+**Step 2 –** Start **Windows PowerShell** and specify a path to the script.
+
+**Step 3 –** Run the script.
+
+**NOTE:** The user running the script must be a member of the **Netwrix Auditor Administrators**
+group.
+
+After running the script, the RADIUS server logons since yesterday custom report appears in
+**Reports** > **Custom**. You can access the search instantly to receive it on a regular basis.
+
+
+
+Clicking the saved search tile opens the search with preset filters, which shows RADIUS logon
+activity data for 2 days (yesterday and today).
diff --git a/docs/auditor/10.8/addon/radius/deployment.md b/docs/auditor/10.8/addon/radius/deployment.md
new file mode 100644
index 0000000000..e9315eaf4e
--- /dev/null
+++ b/docs/auditor/10.8/addon/radius/deployment.md
@@ -0,0 +1,27 @@
+---
+title: "Choose Appropriate Execution Scenario"
+description: "Choose Appropriate Execution Scenario"
+sidebar_position: 20
+---
+
+# Choose Appropriate Execution Scenario
+
+Auditor Add-on for RADIUS Server runs on any computer in your environment. For example, you can run
+the add-on on the computer where Auditor is installed or on your RADIUS server.
+
+Depending on the execution scenario you choose, you have to define a different set of script
+parameters. See the [Define Parameters](/docs/auditor/10.8/addon/radius/parameters.md) topic for additional information.
+
+Netwrixsuggests the following execution scenarios:
+
+| Scenario | Example |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The add-on runs on theAuditor Server with the current user credentials. Data is collected from a remote RADIUS server and written to a local repository. | C:\Add-ons\Netwrix_Auditor_Add-on_for_RADIUS_Server.ps1 -RADIUSHost 172.28.6.16 |
+| The add-on runs on the Auditor Server with explicitly defined credentials. Collected data is written to a remote Auditor Server. | C:\Add-ons\Netwrix*Auditor_Add-on_for* RADIUS_Server.ps1 -NetwrixAuditorHost 172.28.6.15 |
+| The add-on runs on the Auditor Server with the current user credentials. Data is collected from a remote RADIUS server with explicitly defined credentials. | C:\Add-ons\Netwrix*Auditor_Add-on_for* RADIUS_Server.ps1 -RADIUSHost 172.28.6.16 -RADIUSUserName enterprise\NSPuser -RADIUSPassword SuperStrictPassword |
+| The add-on runs on a remote computer with the current user credentials. Data is collected from a remote RADIUS server and written to a remote Auditor repository. | C:\Add-ons\Netwrix*Auditor_Add-on_for* RADIUS_Server.ps1 -NetwrixAuditorHost 172.28.6.15 -RADIUSHost 172.28.6.16 |
+| The add-on runs on a remote computer. Data is collected from a remote RADIUS server with RADIUS server credentials and is written to a remote Auditor repository with Auditor credentials. | C:\Add-ons\Netwrix*Auditor_Add-on_for* RADIUS_Server.ps1 -NetwrixAuditorHost 172.28.6.15 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool -RADIUSHost 172.28.6.16 -RADIUSUserName enterprise\NSPuser -RADIUSPassword SuperStrictPassword |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/radius/overview.md b/docs/auditor/10.8/addon/radius/overview.md
new file mode 100644
index 0000000000..e291da084c
--- /dev/null
+++ b/docs/auditor/10.8/addon/radius/overview.md
@@ -0,0 +1,82 @@
+---
+title: "RADIUS Server"
+description: "RADIUS Server"
+sidebar_position: 190
+---
+
+# RADIUS Server
+
+Netwrix Auditor Add-on for RADIUS Server tracks user and device logon activity on a Windows Server
+where the Remote Authentication Dial-In User Service (RADIUS) is running.
+
+## RADIUS Protocol
+
+RADIUS is a client-server network protocol that enables secure authentication, authorization, and
+account management through special network access servers called gateways. The protocol works as
+follows: When a user tries to access network resources through a gateway that has the RADIUS client
+component enabled, the gateway sends a request to the RADIUS server. The RADIUS server identifies
+the user or device and either accepts or rejects the connection request, and then logs the attempt
+for future reference.
+
+Because it enhances security and scalability, the RADIUS protocol is widely used in enterprise
+network environments to provide authentication and authorization for a variety of network access
+servers, such as VPN or dial-in servers and wireless access points. It helps organize and centralize
+sign-in procedures and improve overall security. In a Windows Server environment, the RADIUS server
+is provided by the Network Policy Server (NPS).
+
+In addition to providing user authentication and authorization, a RADIUS server can grant or deny
+access to a connecting device based on network policies. Companies leverage these policies to
+empower users to connect to the corporate infrastructure using their personal devices, while
+disallowing potentially vulnerable and unsafe devices to minimize risk.
+
+## Netwrix Auditor Add-on
+
+Regular review of logon activity is essential for gaining complete visibility into your account
+management
+
+procedures and ensuring that all activity is traceable and compliant with your policies. For
+example, logons from unusual locations or devices can be a sign of user account compromise or
+identity theft, and an unexpectedly high number of logon failures can indicate an intrusion attempt.
+Careful review of successful and failed logons from both Active Directory and RADIUS servers helps
+security operations teams detect these signs and react promptly to security threats.
+
+Netwrix Auditor Add-on for RADIUS Server works in collaboration with Netwrix Auditor for Active
+Directory, collecting additional data that augments the data collected by Netwrix Auditor.
+Aggregating data into a single audit trail simplifies logon activity analysis and helps you keep
+tabs on your IT infrastructure.
+
+Implemented as a PowerShell script, this add-on automates the acquisition of RADIUS logon events and
+their transition to Netwrix Auditor. All you have to do is provide connection details and schedule
+the script for execution. Netwrix recommends running this add-on in addition to the Active Directory
+auditing provided by Netwrix Auditor.
+
+On a high level, the add-on works as follows:
+
+1. The add-on connects to the Security event log on the RADIUS server and collects logon-related
+ events.
+2. The add-on processes these events into Netwrix Auditor-compatible format (Activity Records). Each
+ Activity Record contains the user account, logon status, time, and other details. Where
+ applicable, the cause for logon failure and the name of network policy are included in the
+ Activity Record.
+3. Using the Netwrix Auditor Integration API, the add-on sends the successful and failed logon
+ events to the Netwrix Auditor server, which writes them to the Long-Term Archive and the Audit
+ Database.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Netwrix Auditor Integration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor Server side | - Auditor version is **9.8** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| The RADIUS server | - The **Remote Event Log Management (RPC)** inbound firewall rule is enabled. - The account collecting RADIUS logon events is member of the **Domain Users** group and have the **Manage auditing and security log** right. |
+| The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. |
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
diff --git a/docs/auditor/10.8/addon/radius/parameters.md b/docs/auditor/10.8/addon/radius/parameters.md
new file mode 100644
index 0000000000..697138743e
--- /dev/null
+++ b/docs/auditor/10.8/addon/radius/parameters.md
@@ -0,0 +1,25 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 10
+---
+
+# Define Parameters
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See the
+[Choose Appropriate Execution Scenario](/docs/auditor/10.8/addon/logrhythm/deployment.md) topic for additional
+information.
+
+| Parameter | Default value | Description |
+| ------------------------- | ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Connection to Auditor** | | |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting Auditor Server and uses default port 9699. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., 172.28.6.15, EnterpriseNAServer, WKS.enterprise.local). To specify a non-default port, provide a server name followed by the port number (e.g., WKS.enterprise.local:9999). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the DOMAIN\username format. The account must be assigned the Global reviewer role in Auditor or be a member of the Netwrix Auditor Client Users group on the computer hosting Auditor Server. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
+| NetwrixAuditorPlan | – | Unless specified, data is written to **Netwrix\_ Auditor_API** database and is not associated with a specific monitoring plan. Specify a name of associated monitoring plan in Auditor. In this case, data will be written to a database linked to this plan. **NOTE:** If you select a plan name in the add-on, make sure a dedicated plan is created in Auditor, the Netwrix API data source is added to the plan and enabled for monitoring. Otherwise, the add-on will not be able to write data to the Audit Database. |
+| RADIUSHost | localhost | Assumes that the script runs on the RADIUS server. If you want to run a script on another machine, provide a name of the computer where RADIUS server resides (e.g., 172.28.6.16, EnterpriseNPS, NPS.enterprise.local). |
+| RADIUSUserName | Current user credentials | Unless specified, the script runs with the current user credentials. If you want the script to use another account to access the RADIUS server, specify the account name in the DOMAIN\username format. **NOTE:** The account must be a member of the **Domain Users** group and have the **Manage auditing and security log** right. |
+| RADIUSPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
diff --git a/docs/auditor/10.8/addon/radius/powershell.md b/docs/auditor/10.8/addon/radius/powershell.md
new file mode 100644
index 0000000000..8f0745c084
--- /dev/null
+++ b/docs/auditor/10.8/addon/radius/powershell.md
@@ -0,0 +1,39 @@
+---
+title: "Run the Add-On with PowerShell"
+description: "Run the Add-On with PowerShell"
+sidebar_position: 30
+---
+
+# Run the Add-On with PowerShell
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+Follow the steps to run the script with PowerShell.
+
+**Step 1 –** On computer where you want to execute the add-on, start **Windows PowerShell**.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell
+
+Copyright (C) 2014 Microsoft Corporation. All rights reserved.
+
+PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_Add-on_for_for_RADIUS_Server.ps1 -
+NetwrixAuditorHost 172.28.6.15 -RADIUSHost 172.28.6.16
+
+**NOTE:** If the script path contains spaces (e.g., _C:\Netwrix Add-ons_), embrace it in double
+quotes and insert the ampersand (**&**) symbol in front (e.g., & "_C:\Netwrix Add-ons_").
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of Activity Records stored in Auditor Audit Database execution may take a
+while. Ensure the script execution completed successfully.
+
+Every time you run the script, Auditor makes a timestamp. The next time you run the script, it will
+start retrieving new events.
diff --git a/docs/auditor/10.8/addon/radius/troubleshooting.md b/docs/auditor/10.8/addon/radius/troubleshooting.md
new file mode 100644
index 0000000000..aaa64f3e10
--- /dev/null
+++ b/docs/auditor/10.8/addon/radius/troubleshooting.md
@@ -0,0 +1,12 @@
+---
+title: "Troubleshoot Issues"
+description: "Troubleshoot Issues"
+sidebar_position: 70
+---
+
+# Troubleshoot Issues
+
+| Error in PowerShell | Resolution |
+| -------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| New-Object : Exception calling ".ctor" with "1" argument(s): "Attempted to perform an unauthorized operation." | The account specified for collecting events on the RADIUS server does not have sufficient rights and permissions or the password is incorrect. - Check the password for this account. - Select the account that belongs to the **Domain Users** group and has the **Manage auditing and security log** right in domain where the RADIUS server resides. |
+| New-Object : Exception calling ".ctor" with "1" argument(s): "The RPC server is unavailable" | The firewall on the RADIUS server blocks the script execution. On the server, navigate to the **Help Protect your computer with Windows Firewall** page, select **Advanced Settings** and enable the **Remote Event Log Management (RPC)** inbound rule. |
diff --git a/docs/auditor/10.8/addon/servicenow/_category_.json b/docs/auditor/10.8/addon/servicenow/_category_.json
new file mode 100644
index 0000000000..3eecc0effe
--- /dev/null
+++ b/docs/auditor/10.8/addon/servicenow/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "ServiceNow Incident Management",
+ "position": 200,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/servicenow/alerts.md b/docs/auditor/10.8/addon/servicenow/alerts.md
new file mode 100644
index 0000000000..8dd83e904e
--- /dev/null
+++ b/docs/auditor/10.8/addon/servicenow/alerts.md
@@ -0,0 +1,42 @@
+---
+title: "Integrate Alerts with Add-On"
+description: "Integrate Alerts with Add-On"
+sidebar_position: 30
+---
+
+# Integrate Alerts with Add-On
+
+The add-on is shipped with a special set of alerts developed by Netwrixindustry experts. These
+alerts are helpful for handling some routine cases that require service manager's attention, e.g.,
+account lockouts, changes to administrative groups. The alerts have preset filters and can be easily
+uploaded to Auditor, and then integrated with the add-on and your ServiceNow system. These alerts
+have ITSM Addon prefix in their names.
+
+Alternatively, you can integrate any default Auditor alert or your custom-built alerts with the
+addon.
+
+By default, none of the alerts are integrated with add-on. To instruct the add-on to create tickets
+for alerts, you should enable integration. Netwrix provides a command-line tool for enabling
+integration with the add-on.
+
+**NOTE:** Make sure to turn on alerting in Auditor. You should manually set the state to "**On**"
+for all alerts you want to integrate with the add-on.
+
+Perform the following steps to integrate alerts with the add-on:
+
+**Step 1 –** On the computer where the Auditor Server is installed, start the **Command Prompt** and
+run the **Netwrix.ITSM.AlertsUploaderTool.exe** tool. The tool is located in the add-on folder. For
+example:
+
+C:\>cd C:\Add-on
+
+C:\Add-on\Netwrix.ITSM.AlertsUploaderTool.exe
+
+**Step 2 –** Execute one of the following commands depending on your task.
+
+| To... | Execute... |
+| -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Upload alert set shipped with the addon to Auditor | Netwrix.ITSM.AlertsUploaderTool.exe /UploadTemplates Once uploaded, the alerts appear in the **All Alerts** list in Auditor, their names start with "_ITSM add-on_". Make sure to set their state to **"On**" (turn them on) manually. |
+| Review alert list and their integration status | Netwrix.ITSM.AlertsUploaderTool.exe /List You will see the full list of Auditor alerts, with an enabled or disabled integration status for each alert. |
+| Enable integration | Netwrix.ITSM.AlertsUploaderTool.exe /Update "``" Enable where `` is the name of the alert you want to integrate with the add-on. Provide alert names as they appear in Auditor. **NOTE:** You can enable integration with one alert at a time. For example: Netwrix.ITSM.AlertsUploaderTool.exe /Update "ITSM Add-On: User Account Locked Out" Enable |
+| Disable integration | Netwrix.ITSM.AlertsUploaderTool.exe /Update "``" Disable where `` is the name of the alert for which you want to disable integration. **NOTE:** You can disable integration with one alert at a time. For example: Netwrix.ITSM.AlertsUploaderTool.exe /Update "ITSM Add-On: User Account Locked Out" Disable |
diff --git a/docs/auditor/10.8/addon/servicenow/deployment.md b/docs/auditor/10.8/addon/servicenow/deployment.md
new file mode 100644
index 0000000000..d9a95c0a71
--- /dev/null
+++ b/docs/auditor/10.8/addon/servicenow/deployment.md
@@ -0,0 +1,56 @@
+---
+title: "Deploy the Service"
+description: "Deploy the Service"
+sidebar_position: 40
+---
+
+# Deploy the Service
+
+Follow the steps to deploy the service.
+
+**Step 1 –** Locate the add-on folder on the computer where the Auditor Server resides.
+
+**Step 2 –** Run the **install.cmd** file. The file deploys and enables the Auditor **ITSM
+Integration Service**.
+
+**NOTE:** Stop and then restart the service every time you update any of configuration files.
+
+## Configure Integration Service to Use Proxy
+
+If you are using a proxy to provide access to the Internet, consider that the Auditor ITSM
+Integration Service will need some additional configuration for proxy server to be detected
+properly. The reason is that this service runs under the **LocalSystem** account (non-interactive),
+which requires proxy settings to be specified manually. See the following Microsoft article for
+additional information:
+[HTTP proxy.](https://docs.microsoft.com/en-us/dotnet/framework/network-programming/automatic-proxy-detection)
+
+Follow the step to configure integration service settings.
+
+**Step 3 –** Navigate to the add-on folder (default name is _Netwrix_Auditor_Add-on_for_ITSM_) and
+select the **Netwrix.ITSM.IntegrationService.exe.config** service configuration file.
+
+**NOTE:** If Auditor ITSM Integration Service is running, stop it before modifying configuration
+file.
+
+**Step 4 –** Open this XML file for edit and add the following section:
+
+```xml
+
+
+
+
+
+```
+
+Here:
+
+| Parameter | Description |
+| ---------------- | ------------------------------------------------------------------------------------------------- |
+| proxyaddress | Specify default proxy address and connection port, e.g., _http://172.28.13.79:8080_ |
+| usesystemdefault | Set to **True** to allow Internet Explorer proxy settings to be overwritten with custom settings. |
+| autoDetect | Set to **False**. |
+
+**Step 5 –** Start the Auditor ITSM Integration Service.
diff --git a/docs/auditor/10.8/addon/servicenow/install.md b/docs/auditor/10.8/addon/servicenow/install.md
new file mode 100644
index 0000000000..25f36dee4c
--- /dev/null
+++ b/docs/auditor/10.8/addon/servicenow/install.md
@@ -0,0 +1,20 @@
+---
+title: "Install Add-On"
+description: "Install Add-On"
+sidebar_position: 10
+---
+
+# Install Add-On
+
+After downloading the add-on package from Netwrix add-on store, copy it to the a computer where the
+Auditor Server resides. Unpack the ZIP archive to a folder of your choice; by default, it will be
+unpacked to the **Netwrix_Auditor_Add-on_for_ITSM** folder.
+
+The main component of the add- on is implemented as a service named Netwrix Auditor **ITSM
+Integration Service**. This service will run on the computer where the Auditor Server works, and
+will use the default Integration API port **9699**. Unless specified, the service will run under the
+**LocalSystem** account.
+
+To use the add-on, you should check the prerequisites and specify configuration settings, as
+described in the next sections. After that, run the installer that will apply settings and start the
+service. See the [Deploy the Service](/docs/auditor/10.8/addon/servicenow/deployment.md) topic for additional information.
diff --git a/docs/auditor/10.8/addon/servicenow/overview.md b/docs/auditor/10.8/addon/servicenow/overview.md
new file mode 100644
index 0000000000..568065961b
--- /dev/null
+++ b/docs/auditor/10.8/addon/servicenow/overview.md
@@ -0,0 +1,42 @@
+---
+title: "ServiceNow Incident Management"
+description: "ServiceNow Incident Management"
+sidebar_position: 200
+---
+
+# ServiceNow Incident Management
+
+The add-on works in collaboration with Netwrix Auditor, supplying data on suspicious activity or
+improper actions right to your helpdesk action center. Aggregating data into a single trail
+simplifies incident processing and handling, makes IT service management more cost effective, and
+helps address threats as soon as possible.
+
+Implemented as a service, this add-on facilitates the data transition from Netwrix Auditor to
+ServiceNow ITSM system. The service automatically creates incident tickets in your system and
+updates them with subsequent events. All you have to do is provide connection details and specify
+what actions should lead to ticket creation.
+
+On a high level, the add-on works as follows:
+
+1. The add-ons comes with a special set of alerts developed by Netwrix industry experts. With a help
+ of a straight- forward command- line tool, you upload these alerts to Netwrix Auditor and enable
+ integration with add-on.
+2. Whenever the alert is triggered, the add-on retrieves an Activity Records for this action using
+ the Netwrix Auditor Integration API. Each Activity Record contains the user account, action,
+ time, and other details.
+3. The add-on creates an incident ticket in ServiceNow, populates it with data that was available in
+ the alert, and assigns to a proper team. Now, you can process a ticket as usual.
+
+ To prevent ticket overflow, the service provides an advanced flood suppression mechanism.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ----------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| The Auditor Server side | - Auditor version is **9.8** or later. - The Audit Database settings are configured in the Auditor. See the [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md)topic for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in the Auditor or is a member of the Netwrix Auditor Client Users group. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| On the ServiceNow side | - ServiceNow version should be any of the following: - Helsinki - Istanbul - Kingston - London **NOTE:** Currently, Jakarta version has only experimental support. - A new user is created and has sufficient permissions to create tickets and update them. The **itil** role is recommended. If you want to reopen closed tickets, you must be granted the right to perform **Write** operations on inactive incidents. |
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information.
diff --git a/docs/auditor/10.8/addon/servicenow/parameters.md b/docs/auditor/10.8/addon/servicenow/parameters.md
new file mode 100644
index 0000000000..d574a8a695
--- /dev/null
+++ b/docs/auditor/10.8/addon/servicenow/parameters.md
@@ -0,0 +1,103 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 20
+---
+
+# Define Parameters
+
+## General
+
+Perform the following steps to define general parameters for the Add-On:
+
+**Step 1 –** Navigate to your add-on folder and select the **ITSMSettings.xml** file.
+
+**Step 2 –** Define general parameters such as Auditor connection parameters, the number of tickets
+the service can create per hour, ability to reopen closed tickets, etc. For most parameters, default
+values are provided.
+
+**Step 3 –** Provide new values as follows: `value`. You can skip or define
+parameters depending on your execution scenario and security policies.
+
+| Parameter | Default value | Description |
+| ----------------------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| **Connection to Netwrix Auditor** | | |
+| NetwrixAuditorHost | localhost:9699 | - The add-on runs on the computer where the Auditor Server resides and uses the default Integration API port **9699**. To specify a non-default port, provide a new port number (e.g., _https://localhost:8788_). - The add- on must always run locally, on the computer where the Auditor Server resides. |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs under the **LocalSystem** account. If you want the add-on to use another account to connect to the Auditor Server, specify the account name in the _DOMAIN\username_ format. Alternatively, after deploying the **Netwrix Auditor ITSM Integration Service** service, specify an account in its properties. The account must be assigned the Global reviewer role in the Auditor or be a member of the Netwrix Auditor**Administrators** group. The user must have sufficient permissions to create files on the computer. |
+| NetwrixAuditorPassword | – | Provide a password for the account. Unless an account is specified, the service runs under the **LocalSystem** account and does not require a password. |
+| TicketFloodLimit | 10 | Specify the maximum number of standalone tickets the service can create during **TicketFloodInterval**. If a ticket flood limit is reached, the service writes all new alerts into a single ticket. |
+| TicketFloodInterval | 3600 | Specify the time period, in seconds. During this time period, the service can create as many tickets as specified in **TicketFloodLimit**. The default value is 3600 seconds, i.e., 1 hour. |
+| ConsolidationInterval | 900 | Specify the time period, in seconds. During this time period, the service does not process similar alerts as they happen but consolidates them before updating open tickets in your ITSM. The default values is 900 seconds, i.e., 15 minutes. This option works in combination with **UpdateTicketOnRepetitiveAlerts** and is helpful if you want to reduce the number of ticket updates on ITSM side. I.e., this option defines the maximum delay for processing alerts and updating existing tickets. Tickets for new alert types are created immediately. For example, a new alert is triggered—the service opens a new incident ticket. The alert keeps firing 20 times more within 10 minutes. Instead of updating the ticket every time, the service consolidates alerts for 15 minutes, and then updates a ticket just ones with all collected data. |
+| CheckAlertQueueInterval | 5 | Internal parameter. Check and process the alert queue every N seconds; in seconds. |
+| UpdateTicketOnRepetitiveAlerts | true | Instead of creating a new ticket, reopen an existing ticket that is in a closed state (be default, closed, canceled, and resolved) if a similar alert occurs within **UpdateInterval**. This option works only when **UpdateTicketOnRepetitiveAlerts** is set to "_true_". **NOTE:** If you want to reopen closed tickets, you must be granted the right to perform **Write** operations on inactive incidents. |
+| UpdateInterval | 86400 | Specify the time period, in seconds. If a similar alert occurs in less than N seconds, it is treated as a part of an existing incident. The default value is 86400 seconds, i.e., 24 hours. If an alerts is triggered after the **UpdateInterval** is over, a new ticket is created. |
+| EnableTicketCorrelation | true | Review history and complement new tickets with information about similar tickets created previously. This information is written to the **Description** field. This option is helpful if you want to see if there is any correlation between past incidents (occurred during last month, by default) and a current incident. |
+| CorrelationInterval | 2592000 | Specify the time period, in seconds. During this time period, the service treats similar tickets as related and complements a new ticket with data from a previous ticket. The default value is 2592000 seconds, i.e., 1 month. Information on alerts that are older than 1 month is removed from internal service storage. |
+| ProcessActivityRecordQueueInterval | 5 | Internal parameter. Process Activity Record queue every N seconds; in seconds. |
+| DisplayOnlyFirstActivityRecord | true | Add only the first Activity Record in the work notes, Activity Records that update this ticket will be added as attachments to this ticket. If false, all Activity Records will be displayed in the ticket work notes. |
+| **ActivityRecordRequestsRetention** | | |
+| RequestLimit | 5000 | Internal parameter. The maximum number of Activity Record requests the service can store in its internal memory. Once the limit is reached, the service clears Activity Record requests starting with older ones. |
+| RequestLimitInterval | 604800 | Internal parameter. The service can store the Activity Record requests not older than N seconds; in seconds. Older Activity Record requests are cleared. |
+| **ActivityRecordWebRequests** | | |
+| RequestLimit | 200 | Internal parameter. The maximum number of Activity Records the service can retrieve in a single request. |
+| RequestTimeout | 180 | Internal parameter. By default, 3 minutes. Defines the connection timeout. |
+| **TicketRequestsRetention** | | |
+| RequestLimit | 300000 | Internal parameter. The maximum number of ticket requests the service can store in its internal memory. Once the limit is reached, the service clears ticket requests starting with older ones. |
+| RequestLimitInterval | 604800 | Internal parameter. The service can store the ticket requests not older than N seconds; in seconds. Older tickets requests are cleared. |
+
+**NOTE:** Stop and then restart the service every time you update any of configuration files.
+
+## ServiceNow Parameters
+
+Follow the steps to define ServiceNow parameters:
+
+**Step 1 –** Navigate to your add-on folder and select **ServiceNowSettings.xml**.
+
+**Step 2 –** Define parameters such as ServiceNow connection parameters inside the ``
+section.
+
+**Step 3 –** Provide new values as follows: `value`.
+
+| `` parameter | Default value | Description |
+| ------------------------ | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| URL | — | Provide a link to your ServiceNow system (e.g., _https://enterprise.service-now.com_). |
+| UserName | — | Specify a user account. Make sure the user has sufficient permissions to create tickets and update them. The **itil** role is recommended. **NOTE:** If you want to reopen closed tickets, you must be granted the right to perform **Write** operations on inactive incidents. |
+| Password | — | Provide a password. |
+
+**Step 4 –** Review the `` section. The parameters inside this section correspond
+to ServiceNow ticket fields and use the same naming (e.g., priority, urgency). To find out a field
+name in ServiceNow, switch to XML view (on the ticket header, navigate to Show XML).
+
+Each `` includes the` ` and` ` pair that defines a
+ServiceNow ticket field and a value that will be assigned to it. For most parameters, default values
+are provided. Add more ticket parameters or update values if necessary.
+
+**NOTE:** The template remains the same for all alerts and cannot be adjusted per individual alerts.
+
+| Name | Value | Description |
+| ------------------ | -------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| short_description | [Netwrix Auditor] %AlertName% | Sets **Short** description to alert title (e.g., _[Netwrix Auditor] ITSM Add-On: User Account Locked Out)_. |
+| category | software | Sets the incident **Category** to "_Software_". |
+| impact | 1 | Sets **Impact** to "_1 – High_". |
+| urgency | 1 | Sets **Urgency** to "_1 – High_". |
+| severity | 1 | Sets **Severity** to "_1 – High_". |
+| assignment\_ group | d625dccec0a8016700a22a0 f7900d06 | Sets **Assignment** group to "_Service Desk_". **NOTE:** You cannot use a group name as a value. Provide its guid instead. |
+| description | %AlertDescription% %PreviousTicketReference% | Provides an alert description and references to related tickets in **Description**. |
+| work_notes | Alert Details: ... | Adds the full alert text to Work notes, including data source, who, what, where, etc. To find out what is included in the alert details, see the **ServiceNowSettings.xml** file. **NOTE:** You can write alert details in the **Additional comments** field instead of Work notes. To do this, rename `work_notes `into `comments`. If you want to write alert details into both fields, create a copy of `` entry containing work_notes and `work_notes` into `comments` section. It shows what information about related
+tickets will be included in your current ticket. Update the template if necessary.
+
+| CorrelationTicketFormat | Description |
+| -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Previous incident for the same alert type: Number: %number% Opened: %opened_at% Assigned to: %assigned_to% Assignment group: %assignment_group% State: %state% | Each` %parameter%` corresponds to a ServiceNow ticket field. The service will automatically substitute these parameters with values from a related ticket. Rearrange fields or add more if necessary. To find out a field name in ServiceNow, switch to XML view (on the ticket header, navigate to **Show XML**). |
+
+**Step 6 –** Review the `` section. It defines the tickets the add- on can
+reopen automatically.
+
+| Name | Description |
+| ------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| ClosedTicketStates TicketState | Lists ticket statuses. Only tickets with this status can be reopened. By default, resolved, closed, and canceled tickets can be reopened. To specify a new status, provide its ID in the `` tag (e.g., 8 for canceled). |
+| NewState | Defines a ticket status once it is reopened. By default, new. To specify another status, provide its ID in the `` tag (e.g., 1 for new). |
+
+**NOTE:** Stop and then restart the service every time you update any of configuration files.
diff --git a/docs/auditor/10.8/addon/siem/_category_.json b/docs/auditor/10.8/addon/siem/_category_.json
new file mode 100644
index 0000000000..029d7c08f9
--- /dev/null
+++ b/docs/auditor/10.8/addon/siem/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "SIEM",
+ "position": 210,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/siem/activityrecords.md b/docs/auditor/10.8/addon/siem/activityrecords.md
new file mode 100644
index 0000000000..a662ce3900
--- /dev/null
+++ b/docs/auditor/10.8/addon/siem/activityrecords.md
@@ -0,0 +1,112 @@
+---
+title: "Export Activity Records"
+description: "Export Activity Records"
+sidebar_position: 30
+---
+
+# Export Activity Records
+
+## Export Activity Records Associated with the Alert
+
+To export only important audit data, that is, the Activity Records that led to the alert triggering,
+configure the alert response action, providing path to
+**Netwrix_Auditor_Alerts_to_Event_Log_Add-on.ps1**. See the [SIEM](/docs/auditor/10.8/addon/siem/overview.md) topic for additional
+information.
+
+## Export Activity Records in Bulk
+
+As said, Netwrix recommends exporting the most important data, using the script described above.
+However, if you need to export all Activity Records in bulk, follow the recommendations below.
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters—the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+Follow the steps to run add-on with PowerShell:
+
+**Step 1 –** On computer where you want to execute the add-on, start Windows PowerShell.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell
+
+Copyright (C) 2014 Microsoft Corporation. All rights reserved.
+
+PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_Activity_Records_to_Event_Log_Add-on.ps1.ps1
+
+If the script path contains spaces (e.g., `C:\Netwrix Add-ons\`), embrace it in double quotes and
+insert the ampersand (&) symbol in front (e.g., `& "C:\Netwrix Add-ons\"`).
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of Activity Records stored in Auditor Audit Database execution may take a
+while. Ensure the script execution completed successfully. The Netwrix Auditor Integration event log
+will be created and filled with events.
+
+By default, the Netwrix Auditor Integration event log size is set to _1GB_, and retention is set to
+_"Overwrite events as needed"_. See the [Integration Event Log Fields](/docs/auditor/10.8/addon/siem/integrationeventlog.md) topic
+for additional information.
+
+Event records with more than 30,000 characters length will be trimmed.
+
+At the end of each run, the script creates the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDs.txt** file. It defines mapping between the
+Activity Records and related Event IDs .
+
+You can use this file to track possible duplicates of Event IDs created at each script execution.
+Duplicates, if any, are written to the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDsDuplicates.txt** file.
+
+Similarly, the add-on also creates the **Netwrix_Auditor_Event_Log_Export_Add-on_CategoriesIDs.txt**
+file that defines mapping between the Data Source and related Category ID.
+
+### Apply Filters
+
+Every time you run the script, Auditor makes a timestamp. The next time you run the script, it will
+start retrieving new Activity Records. Consider the following:
+
+- By default, the add-on does not apply any filters when exporting Activity Records. If you are
+ running the add-on for the first time (there is no timestamp yet) with no filters, it will export
+ Activity Records for the last month only. This helps to optimize solution performance during the
+ first run. At the end of the first run, the timestamp will be created, and the next run will start
+ export from that timestamp.
+- However, if you have specified a time period for Activity Records to be exported, then this filter
+ will be applied at the add-on first run and the runs that follow.
+
+### Automate Add-On Execution
+
+To ensure you feed the most recent data to your SIEM solution, you can schedule a daily task for
+running the Activity Records to Event Log add-on.
+
+To ensure you feed the most recent data to your SIEM solution, Netwrix recommends scheduling a daily
+task for running the add-on.
+
+**Perform the following steps to create a scheduled task:**
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task
+Scheduler**.Task Scheduler.
+
+**Step 2 –** On the **General** tab, specify a task name. Make sure the account that runs the task
+has all necessary rights and permissions.
+
+**Step 3 –** On the **Triggers** tab, click **New** and define the schedule. This option controls
+how often audit data is exported from Auditor and saved to event log. Netwrixrecommends scheduling a
+daily task.
+
+**Step 4 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information:
+
+| Option | Value |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Action | Set to _"Start a program"_. |
+| Program/script | Input _"Powershell.exe"_. |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix_Auditor_Audit_Records_to_Event_Log_Add-on.ps1" |
+
+**Step 5 –** Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/siem/collecteddata.md b/docs/auditor/10.8/addon/siem/collecteddata.md
new file mode 100644
index 0000000000..2a5c298623
--- /dev/null
+++ b/docs/auditor/10.8/addon/siem/collecteddata.md
@@ -0,0 +1,21 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 40
+---
+
+# Work with Collected Data
+
+Follow the steps to work with collected data:
+
+**Step 1 –** On the computer where you executed the add-on, navigate to **Start** > **All
+Programs** > **Event Viewer**.
+
+**Step 2 –** In the Event Viewer dialog, navigate to **Event Viewer (local)** > **Applications and
+Services Logs** >Netwrix Auditor Integration log.
+
+**Step 3 –** Review events.
+
+
+
+Now you can augment Windows event log with data collected by the Auditor.
diff --git a/docs/auditor/10.8/addon/siem/configure.md b/docs/auditor/10.8/addon/siem/configure.md
new file mode 100644
index 0000000000..9f7065066d
--- /dev/null
+++ b/docs/auditor/10.8/addon/siem/configure.md
@@ -0,0 +1,47 @@
+---
+title: "Configuration"
+description: "Configuration"
+sidebar_position: 10
+---
+
+# Configuration
+
+## Activity Records to Event Log Add-on Connection
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.8/addon/siem/deployment.md) topic
+for more information.
+
+| Parameter | Default value | Description |
+| ------------------------- | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Connection to Auditor** | | |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting Auditor Server and uses default port **9699**. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15, EnterpriseNAServer, WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.enterprise.local:9999_). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. The account must be assigned the Global reviewer role in Auditor or be a member of the Netwrix Auditor **Client Users** group on the computer hosting Auditor Server. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
+
+## In-Script Parameters
+
+You may also need to modify the parameters that define how EventIDs should be generated for exported
+events, though their default values address most popular usage scenarios. In-script parameters are
+listed in the table below. To modify them, open the script for edit and enter the values you need.
+
+Once set, these parameter values must stay unchanged until the last run of the script — otherwise
+dynamically calculated EventIDs will be modified and applied incorrectly.
+
+| Parameter | Default value | Description |
+| ------------------------------ | ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| **EventID generation** | | |
+| GenerateEventId | True | Defines whether to generated unique EventIDs. Possible parameter values: - True — generate unique EventIDs using Activity Record fields - False — do not generate a unique ID, set EventID=0 for all cases EventID is generated through CRC32 calculation that involves the following Activity Record field values: - ObjectType - Action - DataSource (optional, see below for details) Only the lowest 16 bits of the calculation result are used. See the [Activity Records](/docs/auditor/10.8/api/postdata/activityrecords.md) topic for additional information. |
+| IncludeDataSourceToMakeEventId | True | Defines whether the DataSource field of Activity Record should be used in the EventID calculation. This parameter is applied only if GenerateEventId is set to TRUE. _Object Type - Action_ pair may be identical for several data sources (e.g., Object='User' and Action='Added'); thus, excluding DataSource from calculation may lead to the same EventID (duplicates). See the [Export Activity Records ](/docs/auditor/10.8/addon/siem/activityrecords.md) topic for additional information.. |
+| SetDataSourceAsEventCategory | True | Defines whether to fill in Event Category event field with a numeric value derived from the **DataSource** field of Activity Record. Possible parameter values: - True — generate a numeric value for Event Category using Activity Record field - False — do not generate a numeric value, set Event Category=1 for all cases The Event Category field value is generated through CRC32 calculation that involves the **DataSource** field of Activity Record. Only the lowest 9 bits of the calculation result are used. |
+| SetDataSourceAsEventSource | False | Defines whether to fill in the Event Source event field with the value from the **DataSource** field of Activity Record. Possible parameter values: - True — fill in the Event Source with the value from DataSource field of Activity Record, adding the prefix defined by $EventSourcePrefix. Default prefix is _NA_, for example:_NA Windows Server_ - False — set Event Source to _Netwrix_Auditor_Integration_API_ for all cases If the script cannot fill in the Event Source for some DataSource, the default value _Netwrix_Auditor_Integration_API_ will be used. If the event source for particular **DataSource** does not exist in the Netwrix_Auditor_Integration event log, elevated privileges are required for add-on execution. |
+
+## Alerts to Event Log Add-on Settings
+
+This add-on requires you to specify the following parameter:
+
+| Parameter | Description | Example |
+| -------------------- | ------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------- |
+| NetwrixPathToCsvData | Specify path to the auxiliary CSV file storing the data of activity records associated with the alert. | `%ProgramData%\Netwrix Auditor\ AuditCore\AuditArchive\ AlertsToolLauncher\ Csv\file.csv` |
diff --git a/docs/auditor/10.8/addon/siem/deployment.md b/docs/auditor/10.8/addon/siem/deployment.md
new file mode 100644
index 0000000000..73a9db3f95
--- /dev/null
+++ b/docs/auditor/10.8/addon/siem/deployment.md
@@ -0,0 +1,38 @@
+---
+title: "Choose Appropriate Execution Scenario"
+description: "Choose Appropriate Execution Scenario"
+sidebar_position: 20
+---
+
+# Choose Appropriate Execution Scenario
+
+## Netwrix Auditor Activity Records to Event Log Add-on
+
+Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can
+run the add-on on the computer where Auditor is installed or on a remote server. Depending on the
+execution scenario you choose, you have to define a different set of parameters. See the
+[Configuration](/docs/auditor/10.8/addon/siem/configure.md) topic for additional information.
+
+Netwrix suggests the following execution scenarios:
+
+| Scenario | Example |
+| ------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The add-on runs on the Auditor Server with the current user credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix_Auditor_Activity_Records_to_Event_Log_Add-on.ps1 |
+| The add-on runs on the Auditor Server with explicitly defined credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix_Auditor_Activity_Records_to_Event_Log_Add-on.ps1 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+| The add-on exports Activity Records from a remote Auditor Server using current user credentials and writes data to a local event log. | C:\Add-ons\Netwrix_Auditor_Activity_Records_to_Event_Log_Add-on.ps1 Netwrix Auditor add-on for SIEM |
+| The add-on exports Activity Records from a remote Auditor server using explicitly defined credentials and writes data to a local event log. | C:\Add-ons\Netwrix_Auditor_Activity_Records_to_Event_Log_Add-on.ps1 Netwrix Auditor add-on for SIEM-NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
+
+## Alerts to Event Log Add-on
+
+The script will be executed on Auditor Server.
+
+By default, Auditor uses the _LocalSystem_ account to run PowerShell scripts. If you want to use
+another account, in the alert settings go to **Response Action**, select the **Use custom
+credentials** checkbox and specify user name and password. Make sure this account has **Log on as
+batch job** privilege. See the
+[Configure a Response Action for Alert](/docs/auditor/10.8/admin/alertsettings/responseaction.md) topic for
+additional information.
diff --git a/docs/auditor/10.8/addon/siem/integrationeventlog.md b/docs/auditor/10.8/addon/siem/integrationeventlog.md
new file mode 100644
index 0000000000..bb0ba17b32
--- /dev/null
+++ b/docs/auditor/10.8/addon/siem/integrationeventlog.md
@@ -0,0 +1,40 @@
+---
+title: "Integration Event Log Fields"
+description: "Integration Event Log Fields"
+sidebar_position: 50
+---
+
+# Integration Event Log Fields
+
+This section describes how the add-on fills in the Netwrix Auditor **Integration** event log fields
+with data retrieved from Activity Records.
+
+The Activity Record structure is described in the
+[Reference for Creating Activity Records](/docs/auditor/10.8/api/activityrecordreference.md)topic.
+
+| Event log field name | Filled in with value | Details |
+| -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Source | **NA\_\_**`{Data Source Name}`** -OR- **Netwrix \_Auditor_Integration_API\_\_ | Depending on _SetDataSourceAsEventSource_ in-script parameter. |
+| EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). |
+| Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. |
+
+See the [Configuration](/docs/auditor/10.8/addon/siem/configure.md) topic for additional information.
+
+EventData is filled in with data from the Activity Record fields as follows:
+
+| Entry in EventData | Activity Record field |
+| ------------------ | --------------------- |
+| DataSource | `{DataSource}` |
+| Action | `{Action}` |
+| Message | `{Action ObjectType}` |
+| Where | `{Where}` |
+| ObjectType | `{ObjectType}` |
+| Who | `{Who}` |
+| What | `{What}` |
+| When | `{When}` |
+| Workstation | `{Workstation}` |
+| Details | `{Details}` |
+
+Details are filled in only if this Activity Record field is not empty.
+
+
diff --git a/docs/auditor/10.8/addon/siem/overview.md b/docs/auditor/10.8/addon/siem/overview.md
new file mode 100644
index 0000000000..1311da3bb3
--- /dev/null
+++ b/docs/auditor/10.8/addon/siem/overview.md
@@ -0,0 +1,89 @@
+---
+title: "SIEM"
+description: "SIEM"
+sidebar_position: 210
+---
+
+# SIEM
+
+Netwrix Auditor Add-on for SIEM helps you to get most from your SIEM investment. This topic focuses
+on the AlienVault USM SIEM solution.
+
+The add-on works in collaboration with Netwrix Auditor, supplying additional data that augments the
+data collected by the SIEM solution.
+
+The add-on enriches your SIEM data with actionable context in human-readable format, including the
+before and after values for every change and data access attempt, both failed and successful.
+Aggregating data into a single audit trail simplifies analysis, makes your SIEM more cost effective,
+and helps you keep tabs on your IT infrastructure.
+
+Implemented as a PowerShell script, this add-on facilitates the audit data transition from Netwrix
+Auditor to the SIEM solution. All you have to do is provide connection details and schedule the
+script for execution.
+
+On a high level, the add-on works as follows:
+
+1. The add-on connects to the Netwrix Auditor server and retrieves audit data using the Netwrix
+ Auditor Integration API.
+2. The add-on processes Netwrix Auditor-compatible data (Activity Records) into log events that work
+ as input for the SIEM solution. Each event contains the user account, action, time, and other
+ details.
+3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores
+ events there. These events are structured and ready for integration with the SIEM solution.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Netwrix Auditor Integration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+### Netwrix Auditor Activity Records to Event Log Add-on
+
+| On... | Ensure that... |
+| ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor side | - Auditor version is **9.8** or later. - The Audit Database settings are configured in Auditor Server. - The TCP 9699 port (default Integration API port) is open for inbound connections. The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. |
+
+### Netwrix Auditor Alerts to Event Log Add-on
+
+| On... | Ensure that... |
+| ----------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor Server side | - Auditor version is **9.96** or 10. - The alert response action settings in Auditor Server are configured as follows: - **Take action when alert occurs** is switched **ON** - **Run** field contains the path to Windows PowserShell: `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe` - **With parameters** field contains the required parameters, including the path to **Netwrix_Auditor_Alerts_to_Event_Log_Add-on.ps1** file. Example: `-File C:\Netwrix_Auditor_Add-on_for_SIEM\Netwrix_Auditor_Alerts_to_Event_Log_Add-on.ps1 -NetwrixPathToCsvData` For details on script parameters, see the section below. - **Write data to CSV file** option is selected - **Command line preview** looks like this: `C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -File C:\Netwrix_Auditor_Add-on_for_SIEM\Netwrix_Auditor_Alerts_to_Event_Log_Add-on.ps1 -NetwrixPathToCsvData {CsvFile}` - By default, the executable file will be launched under the _LocalSystem_ account. If you want to use another account, make sure it has **Log on as batch job** privilege on Netwrix Auditor server. You may want to perform the test run after configuring the script as the alert response action. If so, consider that current user account (logged on to Auditor client) must have local **Administrator** privileges on AuditorServer where the executable file is located. |
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
+
+## Activity Records to Event Log Add-on
+
+On a high level, this add-on works as follows:
+
+1. The add-on connects to the Auditor server and retrieves audit data using the Integration API.
+2. The add-on processes Netwrix Auditor -compatible data (Activity Records) into log events that
+ work as input for Windows event log. Each event contains the user account, action, time, and
+ other details.
+3. The add-on creates a special Windows event log named Netwrix_Auditor_Integration and stores
+ events there. These events are structured and ready for integration with Windows event log.
+
+For more information on the structure of the Activity Record and the capabilities of the Netwrix
+Auditor Integration API, refer to [Integration API](/docs/auditor/10.8/api/overview.md).
+
+## Netwrix Auditor Alerts to Event Log Add-on
+
+This add-on works as response action to the alert, as follows:
+
+1. The administrator enables and configured response action for selected alert, as described in the
+ following topic:
+ [Configure a Response Action for Alert](/docs/auditor/10.8/admin/alertsettings/responseaction.md). Make sure
+ to provide correct path to the script file and to select the Write data to CSV file option.
+2. When the alert is triggered, the script starts - it retrieves audit data (activity record fields)
+ from the CSV file and processes it into log events. Each event contains the user account, action,
+ time, and other details.
+3. The add-on creates a special Windows event log named Netwrix_Auditor_Integration and stores
+ events there. These events are structured and ready for integration with SIEM system.
+
+See the [Configure a Response Action for Alert](/docs/auditor/10.8/admin/alertsettings/responseaction.md)
+topic for additional information on the alert response actions and CSV file.
diff --git a/docs/auditor/10.8/addon/siemcefexport/_category_.json b/docs/auditor/10.8/addon/siemcefexport/_category_.json
new file mode 100644
index 0000000000..ed3d1358a4
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemcefexport/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "SIEM Generic Integration for CEF Export",
+ "position": 220,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/siemcefexport/automate.md b/docs/auditor/10.8/addon/siemcefexport/automate.md
new file mode 100644
index 0000000000..9750f4d269
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemcefexport/automate.md
@@ -0,0 +1,35 @@
+---
+title: "Automate Add-On Execution"
+description: "Automate Add-On Execution"
+sidebar_position: 40
+---
+
+# Automate Add-On Execution
+
+To ensure you feed the most recent data to your SIEM solution, Netwrix recommends scheduling a daily
+task for running the add-on.
+
+**Perform the following steps to create a scheduled task:**
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task Scheduler**.
+
+**Step 2 –** On the **General** tab, specify a task name. Make sure the account that runs the task
+has all necessary rights and permissions.
+
+**Step 3 –** On the **Triggers** tab, click **New** and define the schedule. This option controls
+how often audit data is exported from Auditor and saved to event log. Netwrixrecommends scheduling a
+daily task.
+
+**Step 4 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information:
+
+| Option | Value |
+| ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Action | Set to "_Start a program_". |
+| Program/script | Input "_Powershell.exe_". |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix_Auditor_CEF_Export_Add-on.ps1" -OutputFolder C:\CEF_Export -NetwrixAuditorHost 172.28.6.15 |
+
+**Step 5 –** Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/siemcefexport/collecteddata.md b/docs/auditor/10.8/addon/siemcefexport/collecteddata.md
new file mode 100644
index 0000000000..eb9595672d
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemcefexport/collecteddata.md
@@ -0,0 +1,18 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 50
+---
+
+# Work with Collected Data
+
+Follow the steps to work with collected data:
+
+**Step 1 –** Navigate to the destination folder and open a CEF log file.
+
+**Step 2 –** Review audit data exported from the Audit Database. For example, review this
+CEF-formatted string:
+
+`CEF:0|Netwrix|Active Directory|1.0|Added|Added user|0|shost=enterprisedc.enterprise.local cat=user suser=enterprise\\administrator filePath=\\local\\enterprise\\users\\newuser start=Mar 28 2017 14:01:48`
+
+Now you can feed your SIEM solutions with data collected by Auditor.
diff --git a/docs/auditor/10.8/addon/siemcefexport/deployment.md b/docs/auditor/10.8/addon/siemcefexport/deployment.md
new file mode 100644
index 0000000000..1295850403
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemcefexport/deployment.md
@@ -0,0 +1,25 @@
+---
+title: "deployment"
+description: "deployment"
+sidebar_position: 20
+---
+
+## Choose Appropriate Execution Scenario
+
+Netwrix Auditor Netwrix Risk Insights runs on any computer in your environment. For example, you can
+run the add-on on the computer where Netwrix Auditor is installed or on a remote server. Depending
+on the execution scenario you choose, you have to define a different set of parameters. See the
+[Define Parameters](/docs/auditor/10.8/addon/siemcefexport/parameters.md) topic for additional information.
+
+Netwrix suggests the following execution scenarios:
+
+| Scenario | Example |
+| ---------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The add-on runs on the Auditor Server with the current user credentials. Activity Records are exported to a local folder. | C:\Add-ons\Netwrix_Auditor_CEF_Export_Addon.ps1 -OutputFolder C:\CEF_Export -OutputFolder C:\CEF_Export |
+| The add-on runs on the Auditor Server with explicitly defined credentials. Activity Records are exported to a local folder. | C:\Add-ons\Netwrix_Auditor_CEF_Export_Addon.ps1 -OutputFolder C:\CEF_Export -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+| The add-on exports Activity Records from a remote Auditor Server using current user credentials and writes data to a local folder. | C:\Add-ons\Netwrix_Auditor_CEF_Export_Addon.ps1 -OutputFolder C:\CEF_Export -NetwrixAuditorHost 172.28.6.15 |
+| The add-on exports Activity Records from a remote Auditor Server using explicitly defined credentials and writes data to a local folder. | C:\Add-ons\Netwrix_Auditor_CEF_Export_Addon. ps1 -OutputFolder C:\CEF_Export - NetwrixAuditorHost 172.28.6.15 - NetwrixAuditorUserName enterprise\NAuser - NetwrixAuditorPassword NetwrixIsCool |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/siemcefexport/overview.md b/docs/auditor/10.8/addon/siemcefexport/overview.md
new file mode 100644
index 0000000000..4ea2e91e24
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemcefexport/overview.md
@@ -0,0 +1,50 @@
+---
+title: "SIEM Generic Integration for CEF Export"
+description: "SIEM Generic Integration for CEF Export"
+sidebar_position: 220
+---
+
+# SIEM Generic Integration for CEF Export
+
+Netwrix Auditor Add-on for SIEM helps you to get most from your SIEM investment. This topic focuses
+on the CEF Export SIEM solution.
+
+The add-on works in collaboration with Netwrix Auditor, supplying additional data that augments the
+data collected by the SIEM solution.
+
+The add-on enriches your SIEM data with actionable context in human-readable format, including the
+before and after values for every change and data access attempt, both failed and successful.
+Aggregating data into a single audit trail simplifies analysis, makes your SIEM more cost effective,
+and helps you keep tabs on your IT infrastructure.
+
+Implemented as a PowerShell script, this add-on facilitates the audit data transition from Netwrix
+Auditor to the SIEM solution. All you have to do is provide connection details and schedule the
+script for execution.
+
+On a high level, the add-on works as follows:
+
+1. The add-on connects to the Netwrix Auditor server and retrieves audit data using the Netwrix
+ Auditor Integration API.
+2. The add-on processes Netwrix Auditor-compatible data (Activity Records) into log events that work
+ as input for the SIEM solution. Each event contains the user account, action, time, and other
+ details.
+3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores
+ events there. These events are structured and ready for integration with the SIEM solution.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Netwrix Auditor Integration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. |
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
diff --git a/docs/auditor/10.8/addon/siemcefexport/parameters.md b/docs/auditor/10.8/addon/siemcefexport/parameters.md
new file mode 100644
index 0000000000..cea8c1bd5b
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemcefexport/parameters.md
@@ -0,0 +1,26 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 10
+---
+
+# Define Parameters
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See the
+[Choose Appropriate Execution Scenario](deployment.md#choose-appropriate-execution-scenario) topic
+for additional information.
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters—the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+| Parameter | Default value | Description |
+| ---------------------- | ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting Auditor Server and uses default port **9699**. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., _172.28.6.15, EnterpriseNAServer, WKS.enterprise.local_). To specify a non-default port, provide a server name followed by the port number (e.g., _WKS.enterprise.local:9999_). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. The account must be assigned the Global reviewer role in Auditor or be a member of the Netwrix Auditor **Client Users** group on the computer hosting Auditor Server. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
+| OutputFolder | — | Provide a path to the folder to store CEF log files. This is a mandatory parameter. |
diff --git a/docs/auditor/10.8/addon/siemcefexport/powershell.md b/docs/auditor/10.8/addon/siemcefexport/powershell.md
new file mode 100644
index 0000000000..26a4c47f31
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemcefexport/powershell.md
@@ -0,0 +1,40 @@
+---
+title: "Run the Add-On with PowerShell"
+description: "Run the Add-On with PowerShell"
+sidebar_position: 30
+---
+
+# Run the Add-On with PowerShell
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+Follow the steps to run add-on with PowerShell:
+
+**Step 1 –** On computer where you want to execute the add-on, start Windows PowerShell.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell
+
+Copyright (C) 2014 Microsoft Corporation. All rights reserved.
+
+PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_CEF_Export_Add-on.ps1 -OutputFolder C:\CEF_Export
+-NetwrixAuditorHost 172.28.6.15
+
+**NOTE:** If the script path contains spaces (e.g., _C:\Netwrix Add-ons_), embrace it in double
+quotes and insert the ampersand (**&**) symbol in front (e.g., & "_C:\Netwrix Add-ons_").
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of Activity Records stored in Auditor Audit Database execution may take a
+while. Ensure the script execution completed successfully. The CEF log file will be created in the
+destination folder. Note that details (or 'msg' in CEF terms) exceeding 16000 symbols are trimmed.
+
+Every time you run the script, Auditor makes a timestamp. The next time you run the script, it will
+start retrieving new Activity Records.
diff --git a/docs/auditor/10.8/addon/siemeventlogexport/_category_.json b/docs/auditor/10.8/addon/siemeventlogexport/_category_.json
new file mode 100644
index 0000000000..41ebfdc8bb
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemeventlogexport/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "SIEM Generic Integration for Event Log Export",
+ "position": 230,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/siemeventlogexport/automate.md b/docs/auditor/10.8/addon/siemeventlogexport/automate.md
new file mode 100644
index 0000000000..a038856cad
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemeventlogexport/automate.md
@@ -0,0 +1,35 @@
+---
+title: "Automate Add-On Execution"
+description: "Automate Add-On Execution"
+sidebar_position: 40
+---
+
+# Automate Add-On Execution
+
+To ensure you feed the most recent data to your SIEM solution, Netwrix recommends scheduling a daily
+task for running the add-on.
+
+**Perform the following steps to create a scheduled task:**
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task Scheduler**.
+
+**Step 2 –** On the **General** tab, specify a task name. Make sure the account that runs the task
+has all necessary rights and permissions.
+
+**Step 3 –** On the **Triggers** tab, click **New** and define the schedule. This option controls
+how often audit data is exported from Auditor and saved to event log. Netwrixrecommends scheduling a
+daily task.
+
+**Step 4 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information:
+
+| Option | Value |
+| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Action | Set to "_Start a program_". |
+| Program/script | Input "_Powershell.exe_". |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix_Auditor_Event_Log_Export_Add-on.ps1" -NetwrixAuditorHost 172.28.6.15 |
+
+**Step 5 –** Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/siemeventlogexport/collecteddata.md b/docs/auditor/10.8/addon/siemeventlogexport/collecteddata.md
new file mode 100644
index 0000000000..f54d6b1dc3
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemeventlogexport/collecteddata.md
@@ -0,0 +1,19 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 50
+---
+
+# Work with Collected Data
+
+Follow the steps to work with collected data:
+
+**Step 1 –** On the computer where you executed the add-on, navigate to **Start** > **All
+Programs** > **Event Viewer**.
+
+**Step 2 –** In the **Event Viewer** dialog, navigate to **Event Viewer (local)** > **Applications
+and Services Logs** > **Netwrix_Auditor_Integration log**.
+
+**Step 3 –** Review events.
+
+Now you can augment SIEM with data collected by Auditor.
diff --git a/docs/auditor/10.8/addon/siemeventlogexport/deployment.md b/docs/auditor/10.8/addon/siemeventlogexport/deployment.md
new file mode 100644
index 0000000000..e8e40e92af
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemeventlogexport/deployment.md
@@ -0,0 +1,25 @@
+---
+title: "Choose Appropriate Execution Scenario"
+description: "Choose Appropriate Execution Scenario"
+sidebar_position: 20
+---
+
+# Choose Appropriate Execution Scenario
+
+Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can
+run the add-on on the computer where Auditor is installed or on a remote server. Depending on the
+execution scenario you choose, you have to define a different set of parameters. See the
+[Define Parameters](/docs/auditor/10.8/addon/siemeventlogexport/parameters.md) topic for additional information.
+
+Netwrix suggests the following execution scenarios:
+
+| Scenario | Example |
+| ------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The add-on runs on the Auditor Server with the current user credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix*Auditor_Event_Log* Export_Add-on.ps1 |
+| The add-on runs on the Auditor Server with explicitly defined credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix*Auditor_Event_Log* Export_Add-on.ps1 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+| The add-on exports Activity Records from a remote Auditor Server using current user credentials and writes data to a local event log. | C:\Add-ons\Netwrix*Auditor_Event_Log* Export_Add-on.ps1 -NetwrixAuditorHost 172.28.6.15 |
+| The add-on exports Activity Records from a remoteAuditor Server using explicitly defined credentials and writes data to a local event log. | C:\Add-ons\Netwrix*Auditor_Event_Log* Export_Add-on.ps1 -NetwrixAuditorHost 172.28.6.15 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/siemeventlogexport/overview.md b/docs/auditor/10.8/addon/siemeventlogexport/overview.md
new file mode 100644
index 0000000000..b25efc5624
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemeventlogexport/overview.md
@@ -0,0 +1,47 @@
+---
+title: "SIEM Generic Integration for Event Log Export"
+description: "SIEM Generic Integration for Event Log Export"
+sidebar_position: 230
+---
+
+# SIEM Generic Integration for Event Log Export
+
+Netwrix Auditor helps you protect and get most from your SIEM investment. The Event Log Export
+Add-on works in collaboration with Netwrix Auditor , supplying additional data that augments the
+data collected by SIEM.
+
+The add-on enriches your SIEM data with actionable context in human-readable format, including the
+before and after values for every change and data access attempt, both failed and successful.
+Aggregating data into a single audit trail simplifies analysis, makes your SIEM more cost effective,
+and helps you keep tabs on your IT infrastructure.
+
+Implemented as a PowerShell script, this add-on facilitates the audit data transition from Netwrix
+Auditor to SIEM. All you have to do is provide connection details and schedule the script for
+execution.
+
+On a high level, the add-on works as follows:
+
+1. The add-on connects to the Auditor Server and retrieves audit data using the Integration API.
+2. The add-on processes Netwrix Auditor-compatible data (Activity Records) into log events that work
+ as input for SIEM. Each event contains the user account, action, time, and other details.
+3. The add-on creates a special Windows event log (Netwrix_Auditor_Integration) and stores events
+ there. These events are structured and ready for integration with SIEM.
+
+For more information on the structure of the Activity Record and the capabilities of the Integration
+API, refer to the [Integration API](/docs/auditor/10.8/api/overview.md) topic.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. |
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging the Integration API. Download the latest add- on version in the Add- on Store. See the
+[Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information about schema updates.
diff --git a/docs/auditor/10.8/addon/siemeventlogexport/parameters.md b/docs/auditor/10.8/addon/siemeventlogexport/parameters.md
new file mode 100644
index 0000000000..a78ba14978
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemeventlogexport/parameters.md
@@ -0,0 +1,23 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 10
+---
+
+# Define Parameters
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See [Choose Appropriate Execution Scenario](/docs/auditor/10.8/addon/siemeventlogexport/deployment.md) for
+additional information.
+
+First provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined.
+
+| Parameter | Default value | Description |
+| ---------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting Auditor Server and uses default port 9699. If you want to run the add- on on another machine, provide a name of the computer where Auditor Server resides (e.g., 172.28.6.15, EnterpriseNAServer, WKS.enterprise.local). To specify a non-default port, provide a server name followed by the port number (e.g., WKS.enterprise.local:9999). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the DOMAIN\username format. **NOTE:** The account must be assigned the **Global reviewer** role in Auditor or be a member of the **Netwrix Auditor Client Users** group on the computer hosting Auditor Server. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
diff --git a/docs/auditor/10.8/addon/siemeventlogexport/powershell.md b/docs/auditor/10.8/addon/siemeventlogexport/powershell.md
new file mode 100644
index 0000000000..4bb7b4194a
--- /dev/null
+++ b/docs/auditor/10.8/addon/siemeventlogexport/powershell.md
@@ -0,0 +1,40 @@
+---
+title: "Run the Add-On with PowerShell"
+description: "Run the Add-On with PowerShell"
+sidebar_position: 30
+---
+
+# Run the Add-On with PowerShell
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+Follow the steps to run add-on with PowerShell:
+
+**Step 1 –** On computer where you want to execute the add-on, start Windows PowerShell.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell
+
+Copyright (C) 2014 Microsoft Corporation. All rights reserved.
+
+PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_Event_Log_Export_Add-on.ps1 - NetwrixAuditorHost
+172.28.6.15
+
+**NOTE:** If the script path contains spaces (e.g., _C:\Netwrix Add-ons_), embrace it in double
+quotes and insert the ampersand (**&**) symbol in front (e.g., & "_C:\Netwrix Add-ons_").
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of Activity Records stored in Netwrix Auditor Audit Database execution may
+take a while. Ensure the script execution completed successfully. The Netwrix Auditor
+**Integration** event log will be created and filled with events.
+
+By default, the Netwrix Auditor **Integration** event log size is set to **1GB**, and retention is
+set to "_Overwrite events as needed_".
diff --git a/docs/auditor/10.8/addon/solarwinds/_category_.json b/docs/auditor/10.8/addon/solarwinds/_category_.json
new file mode 100644
index 0000000000..2e2193a982
--- /dev/null
+++ b/docs/auditor/10.8/addon/solarwinds/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Solarwinds Log and Event Manager",
+ "position": 240,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/solarwinds/automate.md b/docs/auditor/10.8/addon/solarwinds/automate.md
new file mode 100644
index 0000000000..9ff36c90df
--- /dev/null
+++ b/docs/auditor/10.8/addon/solarwinds/automate.md
@@ -0,0 +1,35 @@
+---
+title: "Automate Add-On Execution"
+description: "Automate Add-On Execution"
+sidebar_position: 40
+---
+
+# Automate Add-On Execution
+
+To ensure you feed the most recent data to your SIEM solution, Netwrix recommends scheduling a daily
+task for running the add-on.
+
+**Perform the following steps to create a scheduled task:**
+
+**Step 1 –** On the computer where you want to execute the add-on, navigate to **Task Scheduler**.
+
+**Step 2 –** On the **General** tab, specify a task name. Make sure the account that runs the task
+has all necessary rights and permissions.
+
+**Step 3 –** On the **Triggers** tab, click **New** and define the schedule. This option controls
+how often audit data is exported from Auditor and saved to event log. Netwrixrecommends scheduling a
+daily task.
+
+**Step 4 –** On the **Actions** tab, click **New** and specify action details. Review the following
+for additional information:
+
+| Option | Value |
+| ------------------------ | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Action | Set to "_Start a program_". |
+| Program/script | Input "_Powershell.exe_". |
+| Add arguments (optional) | Add a path to the add-on in double quotes and specify add-on parameters. For example: -file "C:\Add-ons\Netwrix_Auditor_Add-on_for_Solarwinds_Log_and_Event_Manager.ps1" -NetwrixAuditorHost 172.28.6.15 |
+
+**Step 5 –** Save the task.
+
+After creating a task, wait for the next scheduled run or navigate to **Task Scheduler** and run the
+task manually. To do this, right-click a task and click **Run**.
diff --git a/docs/auditor/10.8/addon/solarwinds/collecteddata.md b/docs/auditor/10.8/addon/solarwinds/collecteddata.md
new file mode 100644
index 0000000000..6f1f0a7795
--- /dev/null
+++ b/docs/auditor/10.8/addon/solarwinds/collecteddata.md
@@ -0,0 +1,21 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 50
+---
+
+# Work with Collected Data
+
+Follow the steps to work with collected data:
+
+**Step 1 –** On the computer where you executed the add-on, navigate to **Start** > **All
+Programs** > **Event Viewer**.
+
+**Step 2 –** In the Event Viewer dialog, navigate to **Event Viewer (local)** > **Applications and
+Services Logs** >Netwrix Auditor Integration log.
+
+**Step 3 –** Review events.
+
+
+
+Now you can augment Windows event log with data collected by the Auditor.
diff --git a/docs/auditor/10.8/addon/solarwinds/deployment.md b/docs/auditor/10.8/addon/solarwinds/deployment.md
new file mode 100644
index 0000000000..8355d8d6a9
--- /dev/null
+++ b/docs/auditor/10.8/addon/solarwinds/deployment.md
@@ -0,0 +1,25 @@
+---
+title: "Choose Appropriate Execution Scenario"
+description: "Choose Appropriate Execution Scenario"
+sidebar_position: 20
+---
+
+# Choose Appropriate Execution Scenario
+
+Auditor Add-on for the SIEM solution runs on any computer in your environment. For example, you can
+run the add-on on the computer where Auditor is installed or on a remote server. Depending on the
+execution scenario you choose, you have to define a different set of parameters. See the
+[Define Parameters](/docs/auditor/10.8/addon/solarwinds/parameters.md) topic for additional information.
+
+Netwrix suggests the following execution scenarios:
+
+| Scenario | Example |
+| --------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| The add-on runs on the Netwrix Auditor Server with the current user credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* Solarwinds_Log_and_Event_Manager.ps1 |
+| The add-on runs on the Netwrix Auditor Server with explicitly defined credentials. Activity Records are exported to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* Solarwinds_Log_and_Event_Manager.ps1 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+| The add-on exports Activity Records from a remote Netwrix Auditor Server using current user credentials and writes data to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* Solarwinds_Log_and_Event_Manager.ps1-NetwrixAuditorHost 172.28.6.15 |
+| The add-on exports Activity Records from a remote Netwrix Auditor Server using explicitly defined credentials and writes data to a local event log. | C:\Add-ons\Netwrix*Auditor_Add-on_for* Solarwinds_Log_and_Event_Manager.ps1-NetwrixAuditorHost 172.28.6.15 -NetwrixAuditorUserName enterprise\NAuser -NetwrixAuditorPassword NetwrixIsCool |
+
+For security reasons, Netwrix recommends running the script with current user credentials (skipping
+user credentials). Create a special user account with permissions to both Auditor data and event log
+and use it for running the script.
diff --git a/docs/auditor/10.8/addon/solarwinds/integrationeventlog.md b/docs/auditor/10.8/addon/solarwinds/integrationeventlog.md
new file mode 100644
index 0000000000..3c5f1352c1
--- /dev/null
+++ b/docs/auditor/10.8/addon/solarwinds/integrationeventlog.md
@@ -0,0 +1,40 @@
+---
+title: "Integration Event Log Fields"
+description: "Integration Event Log Fields"
+sidebar_position: 60
+---
+
+# Integration Event Log Fields
+
+This section describes how the add-on fills in the Netwrix Auditor **Integration** event log fields
+with data retrieved from Activity Records.
+
+The Activity Record structure is described in the
+[Reference for Creating Activity Records](/docs/auditor/10.8/api/activityrecordreference.md)topic.
+
+| Event log field name | Filled in with value | Details |
+| -------------------- | ----------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Source | **NA\_\_**`{Data Source Name}`** -OR- **Netwrix \_Auditor_Integration_API\_\_ | Depending on _SetDataSourceAsEventSource_ in-script parameter. |
+| EventID | **`{Calculated by add-on}`** -OR- **0** | Depending on _GenerateEventId_ in-script parameter (calculation result also depends on _IncludeDataSourceToMakeEventId_ parameter — if _GenerateEventId_ = _True_). |
+| Task Category | **`{DataSource ID}`** -OR- **1** | Depending on _SetDataSourceAsEventCategory_ in-script parameter. |
+
+See the [Define Parameters](/docs/auditor/10.8/addon/solarwinds/parameters.md) topic for additional information.
+
+EventData is filled in with data from the Activity Record fields as follows:
+
+| Entry in EventData | Activity Record field |
+| ------------------ | --------------------- |
+| DataSource | `{DataSource}` |
+| Action | `{Action}` |
+| Message | `{Action ObjectType}` |
+| Where | `{Where}` |
+| ObjectType | `{ObjectType}` |
+| Who | `{Who}` |
+| What | `{What}` |
+| When | `{When}` |
+| Workstation | `{Workstation}` |
+| Details | `{Details}` |
+
+Details are filled in only if this Activity Record field is not empty.
+
+
diff --git a/docs/auditor/10.8/addon/solarwinds/overview.md b/docs/auditor/10.8/addon/solarwinds/overview.md
new file mode 100644
index 0000000000..7633f5a2c6
--- /dev/null
+++ b/docs/auditor/10.8/addon/solarwinds/overview.md
@@ -0,0 +1,50 @@
+---
+title: "Solarwinds Log and Event Manager"
+description: "Solarwinds Log and Event Manager"
+sidebar_position: 240
+---
+
+# Solarwinds Log and Event Manager
+
+Netwrix Auditor Add-on for SIEM helps you to get most from your SIEM investment. This topic focuses
+on the Solarwinds Log & Event Manager SIEM solution.
+
+The add-on works in collaboration with Netwrix Auditor, supplying additional data that augments the
+data collected by the SIEM solution.
+
+The add-on enriches your SIEM data with actionable context in human-readable format, including the
+before and after values for every change and data access attempt, both failed and successful.
+Aggregating data into a single audit trail simplifies analysis, makes your SIEM more cost effective,
+and helps you keep tabs on your IT infrastructure.
+
+Implemented as a PowerShell script, this add-on facilitates the audit data transition from Netwrix
+Auditor to the SIEM solution. All you have to do is provide connection details and schedule the
+script for execution.
+
+On a high level, the add-on works as follows:
+
+1. The add-on connects to the Netwrix Auditor server and retrieves audit data using the Netwrix
+ Auditor Integration API.
+2. The add-on processes Netwrix Auditor-compatible data (Activity Records) into log events that work
+ as input for the SIEM solution. Each event contains the user account, action, time, and other
+ details.
+3. The add-on creates a special Windows event log named **Netwrix_Auditor_Integration** and stores
+ events there. These events are structured and ready for integration with the SIEM solution.
+
+See the [Integration API](/docs/auditor/10.8/api/overview.md) topic for additional information on the structure
+of the Activity Record and the capabilities of the Netwrix Auditor Integration API.
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ---------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| The Auditor server side | - Auditor version is **10.0** or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| The computer where the script will be executed | - PowerShell **3.0** or later must be installed. - .NET **4.5** or later must be installed. - Execution policy for powershell scripts is set to _"Unrestricted"_. Run Windows PowerShell as administrator and execute the following command: Set-ExecutionPolicy Unrestricted - The user running the script is granted the write permission on the script folder—the add-on creates a special .bin file with the last exported event. - The user running the script must be a member of the Domain Users group. - At least the first script run should be performed under the account with elevated privileges, as it will be necessary to create event log file and perform other required operations. |
+
+## Compatibility Notice
+
+Make sure to check your product version, and then review and update your add-ons and scripts
+leveraging Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.
diff --git a/docs/auditor/10.8/addon/solarwinds/parameters.md b/docs/auditor/10.8/addon/solarwinds/parameters.md
new file mode 100644
index 0000000000..93556047b4
--- /dev/null
+++ b/docs/auditor/10.8/addon/solarwinds/parameters.md
@@ -0,0 +1,22 @@
+---
+title: "Define Parameters"
+description: "Define Parameters"
+sidebar_position: 10
+---
+
+# Define Parameters
+
+Before running or scheduling the add-on, you must define connection details: Auditor Server host,
+user credentials, etc. Most parameters are optional, the script uses the default values unless
+parameters are explicitly defined. You can skip or define parameters depending on your execution
+scenario and security policies. See the [Choose Appropriate Execution Scenario](/docs/auditor/10.8/addon/solarwinds/deployment.md) topic
+for additional information.
+
+| Parameter | Default value | Description |
+| --------------------------------- | ------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Connection to Netwrix Auditor** | | |
+| NetwrixAuditorHost | localhost:9699 | Assumes that the add-on runs on the computer hosting the Auditor Server and uses default port 9699. If you want to run the add-on on another machine, provide a name of the computer where Auditor Server resides (e.g., 172.28.6.15, EnterpriseNAServer, WKS.enterprise.local). To specify a non-default port, provide a server name followed by the port number (e.g., WKS.enterprise.local:9999). |
+| NetwrixAuditorUserName | Current user credentials | Unless specified, the add-on runs with the current user credentials. If you want the add-on to use another account to connect to Auditor Server, specify the account name in the _DOMAIN\username_ format. The account must be assigned the Global reviewer role in Auditor or be a member of the Netwrix Auditor **Client Users** group on the computer hosting Auditor Server. |
+| NetwrixAuditorPassword | Current user credentials | Unless specified, the script runs with the current user credentials. Provide a different password if necessary. |
+
+## In-Script Parameters
diff --git a/docs/auditor/10.8/addon/solarwinds/powershell.md b/docs/auditor/10.8/addon/solarwinds/powershell.md
new file mode 100644
index 0000000000..9df9eb9dc5
--- /dev/null
+++ b/docs/auditor/10.8/addon/solarwinds/powershell.md
@@ -0,0 +1,66 @@
+---
+title: "Run the Add-On with PowerShell"
+description: "Run the Add-On with PowerShell"
+sidebar_position: 30
+---
+
+# Run the Add-On with PowerShell
+
+First, provide a path to your add-on followed by script parameters with their values. Each parameter
+is preceded with a dash; a space separates a parameter name from its value. You can skip some
+parameters— the script uses a default value unless a parameter is explicitly defined. If necessary,
+modify the parameters as required.
+
+**To run the script with PowerShell:**
+
+**Step 1 –** On computer where you want to execute the add-on, start **Windows PowerShell**.
+
+**Step 2 –** Type a path to the add-on. Or simply drag and drop the add-on file in the console
+window.
+
+**Step 3 –** Add script parameters. The console will look similar to the following:
+
+Windows PowerShell
+
+Copyright (C) 2014 Microsoft Corporation. All rights reserved.
+
+PS C:\Users\AddOnUser> C:\Add-ons\Netwrix_Auditor_Add-on_for_Solarwinds_Log_and_Event_Manager.ps1 -
+NetwrixAuditorHost 172.28.6.15
+
+**NOTE:** If the script path contains spaces (e.g., _C:\Netwrix Add-ons_), embrace it in double
+quotes and insert the ampersand (**&**) symbol in front (e.g., & "_C:\Netwrix Add-ons_").
+
+**Step 4 –** Hit **Enter**.
+
+Depending on the number of Activity Records stored in Netwrix Auditor Audit Database execution may
+take a while. Ensure the script execution completed successfully. The Netwrix Auditor
+**Integration** event log will be created and filled with events.
+
+By default, the Netwrix Auditor **Integration** event log size is set to 1GB, and retention is set
+to "_Overwrite events as needed_". See the [Integration Event Log Fields](/docs/auditor/10.8/addon/solarwinds/integrationeventlog.md)
+topic for additional information.
+
+**NOTE:** Event records with more than 30,000 characters length will be trimmed.
+
+At the end of each run, the script creates the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDs.txt** file. It defines mapping between the
+Activity Records and related Event IDs . You can use this file to track possible duplicates of Event
+IDs created at each script execution. Duplicates, if any, are written to the
+**Netwrix_Auditor_Event_Log_Export_Add-on_EventIDsDuplicates.txt** file.
+
+Similarly, the add-on also creates the **Netwrix_Auditor_Event_Log_Export_Add-on_CategoriesIDs.txt**
+file that defines mapping between the Data Source and related Category ID.
+
+## Applying Filters
+
+Every time you run the script, Auditor makes a timestamp. The next time you run the script, it will
+start retrieving new Activity Records. Consider the following:
+
+- By default, the add-on does not apply any filters when exporting Activity Records. If you are
+ running the add-on for the first time (there is no timestamp yet) with no filters, it will export
+ Activity Records for the last month only. This helps to optimize solution performance during the
+ first run. At the end of the first run, the timestamp will be created, and the next run will start
+ export from that timestamp.
+
+- However, if you have specified a time period for Activity Records to be exported, then this filter
+ will be applied at the add-on first run and the runs that follow.
diff --git a/docs/auditor/10.8/addon/splunk/_category_.json b/docs/auditor/10.8/addon/splunk/_category_.json
new file mode 100644
index 0000000000..27a5e476cb
--- /dev/null
+++ b/docs/auditor/10.8/addon/splunk/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Splunk",
+ "position": 250,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/addon/splunk/collecteddata.md b/docs/auditor/10.8/addon/splunk/collecteddata.md
new file mode 100644
index 0000000000..4e298e671d
--- /dev/null
+++ b/docs/auditor/10.8/addon/splunk/collecteddata.md
@@ -0,0 +1,88 @@
+---
+title: "Work with Collected Data"
+description: "Work with Collected Data"
+sidebar_position: 20
+---
+
+# Work with Collected Data
+
+Review the examples below for the possible scenarios on how to work with collected data.
+
+## Example 1: Search by Index
+
+Follow the steps to search by index:
+
+**Step 1 –** Navigate to the Search page of the add-on or Search & Reporting Splunk app
+
+**Step 2 –** Enter the search command:
+
+index=``
+
+for example:
+
+index=netwrix
+
+**Step 3 –** Press the Last 24 hours button and choose All time time range.
+
+**Step 4 –** Press the search button; you should see list of the events currently indexed in Splunk.
+
+**Step 5 –** Click on the arrow button next to any of the returned event to expand the list of
+parsed fields and confirm that fields are populated properly.
+
+If you do not see any fields, make sure that you are running the search in Smart or Verbose mode.
+
+Follow the steps to get all user account creation events from Microsoft Entra ID (formerly Azure AD)
+ports .
+
+**Step 1 –** Navigate to the **Search** page of the add-on or **Search & Reporting** Splunk app
+
+**Step 2 –** Enter the search command:
+
+index=netwrix Action=”Added” ObjectType=”user”
+
+| table Who Action ObjectType What Where
+
+**Step 3 –** Press the Last 24 hours button and choose All time time range.
+
+## Example 2: Use Netwrix Auditor Fields in Index Search
+
+Follow the steps to use Auditor fields in index search:
+
+**Step 1 –** Navigate to the **Search** page of the add-on or **Search & Reporting** Splunk app
+
+**Step 2 –** Enter the search command:
+
+| datamodel `` search
+
+| search sourcetype=netwrix
+
+for example:
+
+| datamodel Authentication search
+
+| search sourcetype=netwrix
+
+**Step 3 –** Press the Last 24 hours button and choose All time time range.
+
+**Step 4 –** Press the search button; you should see list of the events currently indexed in Splunk
+and mapped to the selected data model.
+
+**Step 5 –** Click on the arrow button next to any of the returned event to expand the list of
+parsed fields and confirm that fields are populated properly.
+
+## Example 3: Use CIM Data Model Search and Data Model Fields
+
+Follow the steps to get all events for account deletion:
+
+**Step 1 –** Navigate to the Search page of the add-on or Search & Reporting Splunk app
+
+**Step 2 –** Enter the search command:
+
+| datamodel Change search
+
+| search sourcetype=netwrix All_Changes.action=”deleted”
+
+| table All_Changes.vendor_product All_Changes.action All_Changes.src All_Changes.dest
+All_Changes.user All_Changes.object All_Changes.object_attrs
+
+**Step 3 –** Press the Last 24 hours button and choose All time time range.
diff --git a/docs/auditor/10.8/addon/splunk/datamodelmap.md b/docs/auditor/10.8/addon/splunk/datamodelmap.md
new file mode 100644
index 0000000000..42e4e3954c
--- /dev/null
+++ b/docs/auditor/10.8/addon/splunk/datamodelmap.md
@@ -0,0 +1,29 @@
+---
+title: "CIM Data Model Mapping"
+description: "CIM Data Model Mapping"
+sidebar_position: 30
+---
+
+# CIM Data Model Mapping
+
+The Splunk Common Information Model (CIM) is installed with an add-on and adds a set of data models
+that allow data normalization to simplify search.
+
+The CIM contains a number of standard data models that can be used for search. Each of them has
+predefined set of standard fields common for different data sources.
+
+Netwrix Auditor Add-on for Splunk will map some of the Activity Records that match certain scenario
+to the respective CIM data models.
+
+| Criteria | Data model | Description |
+| ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ | ---------------------------------------------- |
+| DataSource IN ("Microsoft Entra ID", "Logon Activity", "SQL Server", "VMware") Action="Successful Logon" | Authentication > Authentication > Successful_Authentication | Successful login events |
+| DataSource IN ("Microsoft Entra ID", "Logon Activity", "SQL Server", "VMware") Action="Failed Logon" | Authentication > Authentication > Failed\_ Authentication | Failed login events |
+| DataSource IN ("Active Directory", "Microsoft Entra ID", "Exchange\*") Action="Added" ObjectType IN ("user", "computer", "inetorgperson", "service principal", "mail contact", "mail user") | Change > All_Changes > Account Management > Created Accounts | Account creation events |
+| DataSource IN ("Active Directory", "Microsoft Entra ID", "Exchange\*") Action IN ("Modified", "Moved") ObjectType IN ("user", "computer", "inetorgperson", "service principal", "mail contact", "mail user") | Change > All_Changes > Account Management > Updated Accounts | Account update events |
+| DataSource IN ("Active Directory", "Microsoft Entra ID", "Exchange\*") Action="Removed" ObjectType IN ("user", "computer", "inetorgperson", "service principal", "mail contact", "mail user") | Change > All_Changes > Account Management > Deleted Accounts | Account deletion events |
+| DataSource IN ("Active Directory", "Microsoft Entra ID", "Exchange\*", "File Servers") Action IN ("Added", "Modified", "Moved", "Removed") NOT ObjectType IN ("user", "computer", "inetorgperson", "service principal", "mail contact", "mail user") | Change > All_Changes | All other – not related to accounts – changes |
+| DataSource IN ("Active Directory", "Microsoft Entra ID", "Exchange\*") ObjectType IN ("user", "computer", "inetorgperson", "service principal", "mail contact", "mail user") is\_ lockout=1 | Change > All_Changes > Account Management > Locked Accounts | Account lockout events |
+| DataSource IN ("Active Directory", "Microsoft Entra ID", "Exchange\*") Action IN ("Added", "Modified", "Removed") is_audit=1 | Change > All_Changes > Auditing Changes | Changes to audit settings or policies |
+| DataSource="Exchange\*" ObjectType="Mailbox Item" Action IN ("Sent", "Removed") | Email > All Email | Information related to sent or received emails |
+| DataSource="File Server" Action IN ("Added". "Modified", "Moved", "Removed", "Renamed") ObjectType IN ("file", "folder") | Endpoint > Filesystem | Changes to file shares |
diff --git a/docs/auditor/10.8/addon/splunk/deployment.md b/docs/auditor/10.8/addon/splunk/deployment.md
new file mode 100644
index 0000000000..0d3f6adf4c
--- /dev/null
+++ b/docs/auditor/10.8/addon/splunk/deployment.md
@@ -0,0 +1,190 @@
+---
+title: "Deployment Procedure"
+description: "Deployment Procedure"
+sidebar_position: 10
+---
+
+# Deployment Procedure
+
+## Prepare Netwrix Auditor for Data Processing
+
+In the Netwrix Auditor client, go to the Integrations section and verify Integration API settings:
+
+1. Make sure the Leverage Integration API is switched to ON.
+2. Check the TCP communication port number – default is 9699.
+
+See the
+[Configure Integration API Settings](/docs/auditor/10.8/api/prerequisites.md#configure-integration-api-settings)[Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md)topic
+for additional information.
+
+## Download the Add-on
+
+Follow the steps to download the add-on.
+
+**Step 1 –** Download the distribution package Netwrix_Auditor_Add-on_for_Splunk.zip from the
+following web page:
+[https://www.netwrix.com/add-on_for_splunk.html](https://www.netwrix.com/add-on_for_splunk.html)
+
+**Step 2 –** Unpack it to a folder on the computer from which you can access Splunk Web.
+
+## Install the Add-on
+
+Follow the steps to install the add-on.
+
+**Step 1 –** Login to Splunk Web using Splunk Administrator account.
+
+**Step 2 –** Open the Splunk Apps settings in any of the following ways:
+
+- On the main Explore Splunk Enterprise screen, click the gear icon at the top of the left **Apps**
+ panel:
+
+
+
+- When on any other screen, you can expand the drop-down list at the top panel and choose Manage
+ Apps:
+
+ 
+
+**Step 3 –** On the **Apps** screen, click Install app from file:
+
+
+
+**Step 4 –** Click Choose File, navigate to the folder where you unpacked the add-on package, select
+the "TA-netwrix-auditor-add-on-for-splunk-1.6.1.spl" file and click Open.
+
+**Step 5 –** Click Upload.
+
+
+
+The **Upload** button text will change to "_Processing…_". When the installation is complete, you
+will see an invitation to reboot Splunk. This is optional unless you plan to create index
+configuration in the add-on folder. In addition, Splunk might not display add-on icon until restart.
+
+The installed add-on should appear in the Apps list in Splunk.
+
+
+
+## Prepare for Using Netwrix Auditor Integration API
+
+Make sure you have the following information required for the add-on configuration:
+
+- User name and password for the account you will be using to access the Netwrix Auditor Integration
+ API
+- Netwrix Auditor Integration API host name or IP address
+- TCP port used by Integration API (default port is 9699)
+
+## Configure the Add-on
+
+Follow the steps to configure the add-on.
+
+**Step 1 –** From the Explore Splunk Enterprise or from the drop-down list on the top Splunk panel,
+open Netwrix Auditor add-on for Splunk and navigate to the Configuration page:
+
+
+
+**Step 2 –** Configure the account:
+
+1. On the Configuration page, open the Account section.
+
+ 
+
+2. Click **Add** and populate the fields:
+
+ - For the Account name provide a unique name for the account that will be visible to the add-on
+ users
+ - In the Username field insert the user name of the account that will be used to access Netwrix
+ Auditor Integration API. If a domain account is used, make sure to use the _DOMAIN\User_
+ format.
+ - In the Password field insert the account password
+
+3. Click the Add button. The added account should appear in the list:
+
+ 
+
+**Step 3 –** Configure the Netwrix Auditor Integration API location:
+
+1. On the Configuration page open the Add-on Settings section:
+
+ 
+
+2. In the Netwrix Auditor API location field provide the host name or IP address of your Netwrix
+ Auditor Integration API host (Netwrix Auditor server).
+3. In the Netwrix Auditor API port field provide the TCP port used by Netwrix Auditor Integration
+ API; by default it is 9699.
+
+ **NOTE:** Make sure that your Netwrix Auditor Integration API is configured to use HTTPS
+ protocol.
+
+4. Press the **Save** button.
+
+## Configure Data Input
+
+Splunk uses indexes to store data and manage access to it. While you can send Netwrix Auditor data
+to one of the existing indexes it is strongly recommended to create a separate index.
+
+Follow the steps to configure data input.
+
+**Step 1 –** Create a new index to store data from Netwrix Auditor:
+
+1. In Splunk expand the Settings drop-down menu and click on the Indexes option under the DATA
+ section.
+2. Press the **New Index** button to create an index.
+3. Provide the new index parameters:
+
+ - Index name — this parameter will be used in the search.
+ - App — points where the index configuration is stored; Choosing **Search & Reporting** is
+ recommended.
+ - Check if you need to provide custom location for the Home, Cold and Thawed paths. By default
+ they are in the Splunk program folder.
+ - Set the Max Size of Entire Index to match the expected volume of logs from Netwrix Auditor.
+ - By default, Splunk deletes old events when the size of the index exceeds its max value. If you
+ want Splunk to archive them instead specify the Frozen Path.
+
+ Please refer to the
+ [Managing Indexers and Clusters of Indexers](https://docs.splunk.com/Documentation/Splunk/8.1.0/Indexer/Aboutmanagingindexes)
+ manual for additional details on indexes.
+
+**Step 2 –** Create a data input:
+
+1. Open Netwrix Auditor add-on for Splunk and go to the **Inputs** section.
+
+ 
+
+2. Click Create New Input.
+
+ 
+
+3. Provide the new data input parameters:
+
+ - Name of the new data input.
+ - Set the interval (period) for Splunk to periodically request new data from Netwrix Auditor
+ Integration API. Recommended period is 300 seconds.
+ - Select the index that will be used to store the collected data.
+ - Select account with access to Netwrix Auditor Integration API.
+ - If not following the upgrade procedure, keep the default value for Continuation Mark.
+
+ **CAUTION:** This field should never be empty.
+
+ - Checkpoint type specifies location for continuation mark data. File is the recommended option.
+ Do not change this setting unless advised accordingly by your Splunk Administrator.
+
+4. Click the **Add** button.
+
+## Upgrade Procedure
+
+If you were using the older (Windows event log-based) version of Netwrix Auditor add-on for Splunk
+and plan to migrate to the new version, remember to take the additional steps described below. They
+will help to ensure imported data consistency and avoid excessive operations. Otherwise, the new
+add-on will pull Netwrix Auditor’s activity data that had already been imported into your Splunk
+system by the old add-on.
+
+Follow the steps to upgrade the add-on.
+
+**Step 1 –** Stop the old version of Netwrix Auditor add-on for Splunk. You can do this with the
+Windows Scheduled Tasks.
+
+**Step 2 –** Locate the Netwrix_Auditor_Activity_Records_to_Event_Log_Add-on_Cookie.bin file in the
+installation directory of the old add-on for Splunk. Store that file content to a safe location.
+
+**Step 3 –** Install the new add-on. When prompted for Continuation Mark, enter that
+Netwrix*Auditor* Activity_Records_to_Event_Log_Add-on_Cookie.bin file content.
diff --git a/docs/auditor/10.8/addon/splunk/overview.md b/docs/auditor/10.8/addon/splunk/overview.md
new file mode 100644
index 0000000000..fcc9257345
--- /dev/null
+++ b/docs/auditor/10.8/addon/splunk/overview.md
@@ -0,0 +1,122 @@
+---
+title: "Splunk"
+description: "Splunk"
+sidebar_position: 250
+---
+
+# Splunk
+
+Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables
+control over changes, configurations and access in hybrid IT environments to protect data regardless
+of its location. The platform provides security analytics to detect anomalies in user behavior and
+investigate threat patterns before a data breach occurs.
+
+Splunk is a log management solution that enables search and visualization of data collected from the
+company's IT assets.
+
+Netwrix Auditor add-on for Splunk works as an integration solution for both products: it instructs
+Splunk to pull the audit data collected by Netwrix Auditor and stored to the audit databases in
+Netwrix-compatible form (activity records). This data is saved in the event log format recognized by
+Splunk and also mapped to the CIM data models — for normalization and better correlation with other
+log sources. With that automated flow, you can use Splunk Enterprise as your single pane of glass
+for aggregated data analysis. This makes the IT infrastructure monitoring more efficient and helps
+you keep tabs on your IT assets.
+
+The major benefits- are:
+
+- Aggregated audit data from the variety of sources available from a single console
+- Efficient search through the audit data
+
+## Compatibility notice
+
+Netwrix Auditor add-on for Splunk is compatible with the following products:
+
+- Splunk Enterprise 8.0.6 and 8.2.1
+- Netwrix Auditor 9.96 and above
+
+## Supported data sources
+
+Netwrix Auditor add-on for Splunk supports and provides CIM data models mapping for the following
+Netwrix Auditor data sources:
+
+| Netwrix Auditor data source | CIM Data Model |
+| --------------------------- | --------------------- |
+| Active Directory | Authentication Change |
+| Exchange | Change Email |
+| Exchange Online | Change Email |
+| File Servers | Change Endpoint |
+| Microsoft Entra ID | Authentication Change |
+| SharePoint | Change |
+| SharePoint Online | Change |
+| SQL Server | Authentication Change |
+| VMware | Authentication Change |
+| Windows Server | Change |
+
+See [CIM Data Model Mapping](/docs/auditor/10.8/addon/splunk/datamodelmap.md) for details.
+
+## How It Works
+
+Netwrix Auditor add-on for Splunk allows pulling activity records data from the Netwrix Auditor via
+its Integration API. Data is retrieved in JSON format, transferred over HTTPS and stored to Splunk
+index.
+
+
+
+To learn more about Netwrix Auditor activity records, see the
+[Activity Records](/docs/auditor/10.8/api/postdata/activityrecords.md) topic for additional information.
+
+For this data to be provided to Splunk, it adds a new Splunk source type, performing additional data
+parsing and field extraction. The audit data is also mapped into the Common Information Model (CIM)
+data models — for normalization and better correlation with other log sources.
+
+On a high level, the solution works in the following steps.
+
+**Step 1 –** An IT administrator configures Netwrix Auditor Integration API settings to enable
+sharing Netwrix Auditor data with external applications.
+
+**Step 2 –** On the Splunk side, the IT administrator installs and configures the add-on, providing
+the necessary parameters for its operation: Netwrix Auditor Integration API host and account to
+access it with sufficient access rights.
+
+**Step 3 –** The IT administrator prepares a Splunk index to store the data that will be collected
+from Netwrix Auditor.
+
+**Step 4 –** Splunk starts pulling activity records via Netwrix Auditor Integration API by sending
+POST requests with Continuation Mark. Data is received in JSON format and stored in the specified
+Splunk index — to make it available for further search by Splunk.
+
+**Step 5 –** When search is performed, Splunk attempts to extract additional information available
+in the audit data and to map it to CIM data models.
+
+User opens Splunk Enterprise to work with collected data:
+
+- Search for the activity records in the specified index or data model
+- Create reports and dashboards in Splunk
+
+Report and dashboard creation in Splunk is outside the scope of this guide.
+
+### Add-on delivery package
+
+Netwrix Auditor add-on for Splunk delivery package is a ZIP archive that includes the following
+files:
+
+| File name | Description |
+| ----------------------------------------------- | ------------------------------------------ |
+| ta-netwrix-auditor-add-on-for- splunk-1.6.1.spl | Netwrix Auditor add-on for Splunk package. |
+
+## Prerequisites
+
+Before running the add-on, ensure that all the necessary components and policies are configured as
+follows:
+
+| On... | Ensure that... |
+| ------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Auditor Server side | - Auditor version is 9.8 or later. - The Audit Database settings are configured in Auditor Server. See the [Prerequisites](/docs/auditor/10.8/api/prerequisites.md) and [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topics for additional information. - The TCP 9699 port (default Auditor Integration API port) is open for inbound connections. - The user retrieving data from the Audit Database is granted the Global reviewer role in Auditor or is a member of the Netwrix Auditor Client Users group. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information. Alternatively, you can grant the Global administrator role or add the user to the Netwrix Auditor Administrators group. In this case, this user will have the most extended permissions in the product. |
+| Splunk Enterprise | - Splunk version is 8.0.6 or higher. - Splunk Common Information Model add-on version 4.17.0 or higher. - Splunk Administrator or any other account with permissions to add add-ons, create indexes and data inputs. - The TCP 9699 port must be open on firewalls between Splunk and Netwrix Auditor server. |
+
+### Considerations and limitations
+
+- If the information is not available in the activity record received from Auditor, it will also not
+ be available in Splunk.
+- CIM might not have data models for some of the activity records received from Auditor; such
+ information can only be accessed in Splunk using search by index.
diff --git a/docs/auditor/10.8/addon/splunk/troubleshooting.md b/docs/auditor/10.8/addon/splunk/troubleshooting.md
new file mode 100644
index 0000000000..ce843940f6
--- /dev/null
+++ b/docs/auditor/10.8/addon/splunk/troubleshooting.md
@@ -0,0 +1,38 @@
+---
+title: "Maintenance and Troubleshooting"
+description: "Maintenance and Troubleshooting"
+sidebar_position: 40
+---
+
+# Maintenance and Troubleshooting
+
+Splunk records service logs to the \_internal index. Follow the steps to troubleshoot data input
+from Netwrix Auditor API:
+
+**Step 1 –** Navigate to the Search page of the add-on or Search & Reporting Splunk app.
+
+**Step 2 –** Enter the search command:
+
+```
+index=_internal ""
+```
+
+For example:
+
+```
+index=_internal ""
+```
+
+**Step 3 –** Press the Last 24 hours button and choose Last 15 minutes time range.
+
+**Step 4 –** Press the search button; you should see list of the events with Splunk service
+information.
+
+When the add-on operates normally there should be no errors and the following types of events should
+appear regularly:
+
+- Regular events from _\*splunk\ta-netwrix-auditor-add-on-for-splunk_netwrix_auditor_api_input_\*\_
+ source with POST requests to the Netwrix Auditor API.
+- Regular events from _\*splunk\ta-netwrix-auditor-add-on-for-splunk_netwrix_auditor_api_input_\*\_
+ source with checkpoint update with new ContinuationMarks received from Netwrix Auditor API.
+- Events from _\*\splunk\metrics.log_ source with information about indexed volumes.
diff --git a/docs/auditor/10.8/admin/_category_.json b/docs/auditor/10.8/admin/_category_.json
new file mode 100644
index 0000000000..6e431b3091
--- /dev/null
+++ b/docs/auditor/10.8/admin/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Administration",
+ "position": 50,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/alertsettings/_category_.json b/docs/auditor/10.8/admin/alertsettings/_category_.json
new file mode 100644
index 0000000000..c2c7f35f4f
--- /dev/null
+++ b/docs/auditor/10.8/admin/alertsettings/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Alerts",
+ "position": 70,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/alertsettings/create/_category_.json b/docs/auditor/10.8/admin/alertsettings/create/_category_.json
new file mode 100644
index 0000000000..3183dd1bec
--- /dev/null
+++ b/docs/auditor/10.8/admin/alertsettings/create/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Create Alerts",
+ "position": 20,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "create"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/alertsettings/create/create.md b/docs/auditor/10.8/admin/alertsettings/create/create.md
new file mode 100644
index 0000000000..b55eb21002
--- /dev/null
+++ b/docs/auditor/10.8/admin/alertsettings/create/create.md
@@ -0,0 +1,39 @@
+---
+title: "Create Alerts"
+description: "Create Alerts"
+sidebar_position: 20
+---
+
+# Create Alerts
+
+To create new alerts and modify existing alerts, the account used to connect to Auditor Server must
+be assigned the _Global administrator_ or _Global reviewer_ role in the product.
+
+To set up a response action, this account must also be a member of the local _Administrators_ group
+on Auditor Server.
+
+See the
+[](https://helpcenter.netwrix.com/Roles/Role_Based_Access.html)[Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md)
+topic for additional information.
+
+## Create a Custom Alert
+
+Follow the steps to create a custom alert.
+
+**Step 1 –** On the main Auditor page, click the Alert settings link under the Configuration section
+on the left:
+
+
+
+See the [Navigation](/docs/auditor/10.8/admin/navigation/overview.md) topic for additional information.
+
+**Step 2 –** In the All Alerts window, click Add. Configure the following:
+
+| Option | Description |
+| --------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General |
Specify a name and enter the description for the new alert. **NOTE:** Make sure that the Send alert when the action occurs option is enabled. Otherwise, the new alert will be disabled.
Email subject — Specify the subject of the email. It is possible to insert variables into the subject line. You can choose between "_Who_", "_What_" and"_Where_" variables. Consider the following:
Only one variable of each type can be added
You need to cut off the full path from the object names in "_What_" alert and leave only the actual name. For example, "_\com\Corp\Users\Departments\IT\Username_" should be just "_Username_". If you want to get back to the default Email subject line, click the **Restore Default** button.
Apply tags — Create a set of tags to more efficiently identify and sort your alerts. Select Edit under Apply tags to associate tags with your alert. Later, you can quickly find an alert of interest using Filter by tags in the upper part of the All Alerts window. To see a full list of alerts ever created in the product, navigate to Settings > Tags.
Email — Specify the email address where notifications will be delivered. You can add as many recipients as necessary. **_RECOMMENDED:_** click **Send Test Email**. The system will send a test message to the specified email address and inform you if any problems are detected.
SMS-enabled email — Netwrix uses the sms gateway technology to deliver notifications to a phone number assigned to a dedicated email address. Specify email address to receive SMS notifications. Make sure that your carrier supports sms to email gateway technology.
|
+| Filters | Apply a set of filters to narrow events that trigger a new alert. Alerts use the same interface and logic as search.
Filter — Select general type of filter (e.g., "Who", "Data Source", "Monitoring plan", etc.)
Operator — Configure match types for selected filter (e.g., "Equals", "Does not contain", etc.)
Value — Specify filter value. See the [View and Search Collected Data](/docs/auditor/10.8/admin/search/overview.md) topic for additional information on how to create and modify filters. The Filters section contains required fields highlighted with red. Once you completed all filters, click Preview on the right pane to see search-based list of events that will trigger your alert. 
|
+| Thresholds | If necessary, enable threshold to trigger the new alert. In this case, a single alert will be sent instead of many alerts. This can be helpful when Auditor detects many activity records matching the filters you specified. Slide the switch under the Send alert when the threshold is exceeded option and configure the following:
Limit alerting to activity records with the same... — Select a filter in the drop-down list (e.g., who). Note that, Auditor will search for activity records with the same value in the filter you selected. Only alerts grouped by the Who parameter can be included in the Behavior Anomalies list. Mind that in this case, the product does not summarize risk scores and shows the value you associated with this alert. This may significantly reduce risk score accuracy.
Send alert for `<...>` activity records within `<...>` seconds — Select a number of changes that occurred in a given period (in seconds). For example, you want to receive an alert on suspicious activity. You select "_Action_" in the Limit alerting to activity records with the same list and specify a number of actions to be considered an unexpected behavior: _1000_ changes in _60_ seconds. When the selected threshold exceeded, an alert will be delivered to the specified recipients: one for every 1000 removals in 60 seconds, one for every 1000 failed removals in 60 seconds. So you can easily discover what is going on in your IT infrastructure.
|
+| Risk Score |
Slide the switch to On under Include this alert in Behavior Anomalies assessment. See the [Behavior Anomalies](/docs/auditor/10.8/admin/behavioranomalies/overview.md) topic for additional information.
Associate a risk score with the alert — Assign a risk score based on the type of anomaly and the severity of the deviation from the normal behavior. An action's risk score is a numerical value from 1 (Low) to 100 (High) that designates the level of risk with 100 being the riskiest and 1 the least risky. These are general guidelines you can adopt when setting a risk score:
High score — Assign to an action that requires your immediate response (e.g., adding account to a privileged group). Configure a non-threshold alert with email recipients.
Above medium score — Assign to a repetitive action occurring during a short period of time. While a standalone action is not suspicious, multiple actions merit your attention (e.g., mass deletions from a SharePoint site). Configure a threshold-based alert with email recipients.
Low score — Assign to an infrequent action. While a single action is safe, multiple occurrences aggregated over a long period of time may indicate a potential in-house bad actor (e.g., creation of potentially harmful files on a file share). Configure a non-threshold alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard.
Low score — Assign to a repetitive action that does not occur too often (e.g., rapid logons). Multiple occurrences of action sets may indicate a potential in-house bad actor or account compromise. Configure a threshold-based alert, email recipients are optional but make sure to regularly review the Behavior Anomalies dashboard.
|
+| Response Action | You can instruct Auditor to perform a response action when the alert occurs — for example, start an executable file (command, batch file, or other) that will remediate the issue, or open a ticket with the help desk, and so on. For that, you will need an executable file stored locally on the Auditor server. Slide the switch to turn the feature **ON**, and see the [Configure a Response Action for Alert](/docs/auditor/10.8/admin/alertsettings/responseaction.md) topic for additional information. |
diff --git a/docs/auditor/10.8/admin/alertsettings/create/createeventlog.md b/docs/auditor/10.8/admin/alertsettings/create/createeventlog.md
new file mode 100644
index 0000000000..6edaf2eed4
--- /dev/null
+++ b/docs/auditor/10.8/admin/alertsettings/create/createeventlog.md
@@ -0,0 +1,59 @@
+---
+title: "Create Alerts for Event Log"
+description: "Create Alerts for Event Log"
+sidebar_position: 10
+---
+
+# Create Alerts for Event Log
+
+Alerts are configurable notifications triggered by certain events and sent to the specified
+recipients. You can enable or disable, and modify existing alerts, and create new alerts. To do it,
+click Configure next to Alerts.
+
+Follow the steps to create new alert.
+
+**Step 1 –** In the Alerts window, click Add to start new alert.
+
+**Step 2 –** On the Alert Properties step, specify the alert name and enter alert description
+(optional). Specify the number alerts per email. Grouped alerts for different computers will be
+delivered in separate email messages. This value is set to 1 by default, which means that each alert
+will be delivered as a separate email message.
+
+**Step 3 –** On the Notifications step, configure email notifications and customize the notification
+template, if needed. Click Edit next to Customize notifications template. Edit the template by
+deleting or inserting information fields.
+
+The %ManagedObjectName% variable will be replaced with your monitoring plan name.
+
+**Step 4 –** On the Event filters step, specify an event that will trigger the alert.
+
+**Step 5 –** Complete the Event Filters wizard. Complete the following fields:
+
+- In the Event tab:
+
+ | Option | Description |
+ | ----------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+ | Name | Specify the filter name. |
+ | Description | Enter the description for this filter (optional). |
+ | Event Log | Select an event log from the drop-down list. You will be alerted on events from this event log. You can also input a different event log. To find out a log’s name, navigate to Start > Windows Administrative Tools > **Event Viewer** > **Applications and Services Logs** > Microsoft > Windows and expand the required Log_Name node, right-click the file under it and select Properties. Find the event log’s name in the Full Name field. Auditor does not collect the Analytic and Debug logs, so you cannot configure alerts for these logs. You can use a wildcard (\*). In this case you will be alerted on events from all Windows logs except for the ones mentioned above. |
+
+- In the Event Fields tab:
+
+ | Option | Description |
+ | ----------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+ | Event ID | Enter the identifier of a specific event that you want to be alerted on. You can add several IDs separated by comma. |
+ | Event Level | Select the event types that you want to be alerted on. If the Event Level checkbox is cleared, you will be alerted on all event types of the specified log. |
+ | Computer | Specify a computer. You will only be alerted on events from this computer. If you want to specify several computers, you can define a mask for this parameter. Below is an example of a mask: - \* - any machine - computer – a machine named ‘computer’ - \*computer\* - machines with names like ‘xXxcomputerxXx’ or ‘newcomputer’ - computer? – machines with names like ‘computer1’ or ‘computerV’ - co?puter - machines with names like ‘computer’ or ‘coXputer’ - ????? – any machine with a 5-character name - ???\* - any machine with a 3-character name or longer |
+ | User | Enter a user’s name. You will be alerted only on the events generated under this account. If you need to specify several users, you can define a mask for this parameter in the same way as described above. |
+ | Source | Specify this parameter if you want to be alerted on the events from a specific source. If you need to specify several users, you can define a mask for this parameter in the same way as described above. |
+ | Category | Specify this parameter if you want to be alerted on a specific event category. |
+
+ 
+
+- In the Insertion Strings tab:
+
+ | Option | Description |
+ | ---------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+ | Consider the following event Insertion Strings | Specify this parameter if you want to receive alerts on events containing a specific string in the EventData. You can use a wildcard (\*). Click Add and specify Insertion String. |
+
+**Step 6 –** Click OK to save the changes and close the Event Filters dialog.
diff --git a/docs/auditor/10.8/admin/alertsettings/create/createhealthstatus.md b/docs/auditor/10.8/admin/alertsettings/create/createhealthstatus.md
new file mode 100644
index 0000000000..2fd65dee82
--- /dev/null
+++ b/docs/auditor/10.8/admin/alertsettings/create/createhealthstatus.md
@@ -0,0 +1,60 @@
+---
+title: "Create Alerts on Health Status"
+description: "Create Alerts on Health Status"
+sidebar_position: 30
+---
+
+# Create Alerts on Health Status
+
+You can configure alerts to be triggered by important events in the Netwrix AuditorSystem Health
+log.
+
+To create alerts to be notified on Auditor Health Status.
+
+Follow the basic steps, required for creation of the monitoring plan that will be used to collect
+data on Auditor health status events. See the topic for additional information.
+
+**Step 1 –** Start Netwrix Auditor Event Log Manager and create the new monitoring plan.
+
+**Step 2 –** Make sure that the Enable event log collection checkbox is selected. Specify the name
+for the new plan, for example, _"\_Netwrix Auditor \_Health Status"_.
+
+**Step 3 –** Navigate to the Monitored computers list and add a server where the Auditor server
+resides.
+
+**Step 4 –** On the General tab, click Configure next to Alerts. Make sure the predefined alerts are
+disabled. Click Add to create anew alert.
+
+**Step 5 –** In the Alert Properties wizard, specify the alert name and enter alert description
+(optional). Specify the number alerts per email. Grouped alerts for different computers will be
+delivered in separate email messages. This value is set to 1 by default, which means that each alert
+will be delivered as a separate email message.
+
+**Step 6 –** Specify alert recipient if you want the alert to be delivered to a non-default email.
+
+**Step 7 –** Navigate to Event Filters and click Add to specify an event that will trigger the
+alert.
+
+**Step 8 –** Complete the Event Filter dialog.
+
+- In the Event tab, specify the filter name and description. In the Event Log field select the
+ Netwrix Auditor System Health log.
+- In the Event Fields tab, select event levels that will trigger the alert.
+
+**Step 9 –** Click OK to save the changes and close the Event Filters dialog.
+
+**Step 10 –** In the Netwrix Auditor Event Log Manager wizard, navigate to the Notifications section
+and specify the email address where notifications will be delivered.
+
+**_RECOMMENDED:_** click **Send Test Email**. The system will send a test message to the specified
+email address and inform you if any problems are detected.
+
+**Step 11 –** In the Audit Archiving filters, select the Netwrix Auditor System Health as the
+inclusive filter.
+
+**Step 12 –** Click Save to save your changes.
+
+
+
+If an event occurs that triggers an alert, an email notification will be sent immediately to the
+specified recipients.
diff --git a/docs/auditor/10.8/admin/alertsettings/create/createmailboxaccess.md b/docs/auditor/10.8/admin/alertsettings/create/createmailboxaccess.md
new file mode 100644
index 0000000000..6c2e28b00d
--- /dev/null
+++ b/docs/auditor/10.8/admin/alertsettings/create/createmailboxaccess.md
@@ -0,0 +1,154 @@
+---
+title: "Create Alerts for Non-Owner Mailbox Access Events"
+description: "Create Alerts for Non-Owner Mailbox Access Events"
+sidebar_position: 20
+---
+
+# Create Alerts for Non-Owner Mailbox Access Events
+
+If you have a monitoring plan configured to audit Exchange, you can configure alerts to be triggered
+by non-owner mailbox access events (e.g., opening a message folder, opening/modifying/deleting a
+message) using the event log alerts. To enable monitoring of non-owner mailbox access events, you
+need to create a monitoring plan for auditing event logs.
+
+## Create Alerts for Non-Owner Mailbox Access Events
+
+The procedure below describes the basic steps, required for creation of a monitoring plan that will
+be used to collect data on non-owner mailbox access events. See
+[Event Log Manager](/docs/auditor/10.8/tools/eventlogmanager/eventlogmanager.md) topic for additional information.
+
+Follow the steps to create alert for non-owner mailbox access events.
+
+**Step 1 –** Create a monitoring plan in Netwrix Auditor Event Log Manager.
+
+**Step 2 –** Make sure that the Enable event log collection checkbox is selected. Specify the name
+for the new plan, for example, "_Non-owner mailbox access auditing_".
+
+**Step 3 –** Navigate to the Monitored computers list and add a server where your Exchange
+organization resides.
+
+**Step 4 –** On the General tab, click Configure next to Alerts. Make sure the predefined alerts are
+disabled. Click Add to create an alert for non-owner mailbox access event.
+
+**Step 5 –** In the Alert Properties wizard, specify the alert name and enter alert description
+(optional). Specify the number alerts per email. Grouped alerts for different computers will be
+delivered in separate email messages. This value is set to 1 by default, which means that each alert
+will be delivered as a separate email message.
+
+**Step 6 –** Specify alert recipient if you want the alert to be delivered to a non-default email.
+
+**Step 7 –** Navigate to Event Filters and click Add to specify an event that will trigger the
+alert.
+
+**Step 8 –** Complete the Event Filter dialog.
+
+- In the Event tab, specify the filter name and description. In the Event Log field enter _"Netwrix
+ Non-Owner Mailbox Access Agent"_.
+
+- In the Event Fields tab, complete the following fields:
+
+ - Event ID—Enter the identifier of a specific event that you want to be alerted on. You can add
+ several IDs separated by comma. Review the event IDs available in the Netwrix **Non-Owner
+ Mailbox Access Agent** event log:
+
+ | ID | Description | Access Type (as displayed in XML view of event details) |
+ | --- | ------------------------------------------- | ------------------------------------------------------- |
+ | 1 | A folder was opened | actFolderOpen |
+ | 2 | A message was opened | actMessageOpened |
+ | 3 | A message was sent | actMessageSubmit |
+ | 4 | A message was changed and saved | actChangedMessageSaved |
+ | 5 | A message was deleted | actMessageDeleted |
+ | 6 | A folder was deleted | actFolderDeleted |
+ | 7 | The entire contents of a folder was deleted | actAllFolderContentsDeleted |
+ | 8 | A message was created and saved | actMessageCreatedAndSaved |
+ | 9 | A message was moved or/and copied | actMessageMoveCopy |
+ | 10 | A folder was moved or/and copied | actFolderMoveCopy |
+ | 14 | A folder was created | actFolderCreated |
+
+ - Source—Enter _"Netwrix Non-Owner Mailbox Access Agent"_.
+
+- In the Insertion Strings tab, select Consider the following event Insertion Strings to receive
+ alerts on events containing a specific string in the EventData. Click Add and specify the
+ Insertion String.
+
+**Step 9 –** Click OK to save the changes and close the Event Filters dialog.
+
+**Step 10 –** In the Netwrix Auditor Event Log Manager wizard, navigate to Notifications and specify
+the email address where notifications will be delivered.
+
+**_RECOMMENDED:_** click **Send Test Email**. The system will send a test message to the specified
+email address and inform you if any problems are detected.
+
+**Step 11 –** Click Edit next to Audit Archiving Filters step, in the Inclusive Filters section
+clear the filters you do not need, click Add and specify the following information:
+
+- The filter name and description (e.g., Non-owner mailbox access event)
+- In Event Log, enter _"Netwrix Non-Owner Mailbox Access Agent"_.
+- In Write to, select Long-Term Archive. The events will be saved into the local repository.
+
+**Step 12 –** Click Save. If an event occurs that triggers an alert, an email notification will be
+sent immediately to the specified recipients.
+
+## Review Event Description
+
+Review the example of the MessageOpened event in the XML view:
+
+
+
+Depending on the event, the strings in the description may vary. The first eight strings are common
+for all events:
+
+| String | Description |
+| ------- | --------------------------------------------------------------------------- |
+| String1 | The event type: info or warning |
+| String2 | The event date and time in the following format: YYYY_MM_DD_hh_mm_ss_000 |
+| String3 | The name of the user accessing mailbox |
+| String4 | The SID of the user accessing mailbox |
+| String5 | The GUID of the mailbox being accessed |
+| String6 | Shows whether the user accessing mailbox is the owner: it is always _false_ |
+| String7 | The IP of the computer accessing the mailbox |
+| String8 | The access type |
+
+The following strings depend on the non-owner access type, represented by different Event IDs:
+
+| Event ID | Access type (String 8) | Strings | Description |
+| -------- | ------------------------------------------------------------------- | ------------- | ---------------------------------------------------------------------------------------------- |
+| 1 | actFolderOpen | String9 | The internal folder URL |
+| 2 | actMessageOpened | String9 | The internal message URL |
+| String10 | The message subject | | |
+| String11 | The message type: IPM.Note—Email, IPM.Contact – contact, etc. | | |
+| 3 | actMessageSubmit | String9 | The internal message URL |
+| String10 | The message subject | | |
+| String11 | Email addresses of the message recipients, separated by a semicolon | | |
+| String12 | The message type: IPM.Note—Email, IPM.Contact – contact, etc. | | |
+| 4 | actChangedMessageSaved | String9 | The internal message URL |
+| String10 | The message subject | | |
+| String11 | The message type: IPM.Note – Email, IPM.Contact – contact, etc. | | |
+| 5 | actMessageDeleted | String9 | The internal message URL |
+| String10 | The message subject | | |
+| String11 | The message type: IPM.Note—Email, IPM.Contact – contact, etc. | | |
+| 6 | actFolderDeleted | String9 | The internal folder URL |
+| 7 | actAllFolderContentsDeleted | String9 | The internal folder URL |
+| 8 | actMessageCreatedAndSaved | String9 | The internal message URL |
+| 9 | actMessageMoveCopy | String9 | The message being moved/copied—the final part of the message URL, e.g., /Inbox/testMessage.EML |
+| String10 | The action – copy or move | | |
+| String11 | The folder URL the message is copied/moved from | | |
+| String12 | The destination folder URL | | |
+| String13 | The message type: IPM.Note—Email, IPM.Contact – contact, etc. | | |
+| 10 | actFolderMoveCopy | Strings 9 -13 | The string descriptions for the folder are similar to those for messages. |
+| 14 | actFolderCreated | String9 | The new folder URL |
+
+With different Exchange versions and/or different email clients, the same non-owner action (e.g.,
+copying a message) may generate different events: e.g., actMessageMoveCopy with one server/client or
+actMessageCreatedAndSaved with another.
+
+You can add the required strings contained in % symbols for your own custom alert separated by
+a` ` tag in `Event Parameters:`. Event parameter descriptions can also be added.
+
+In the example below, the following information has been added:
+
+- The description for String 3—User accessing mailbox
+- String 8 with the description
+- String 9 with the description
+
+
diff --git a/docs/auditor/10.8/admin/alertsettings/dashboard.md b/docs/auditor/10.8/admin/alertsettings/dashboard.md
new file mode 100644
index 0000000000..91eb416b29
--- /dev/null
+++ b/docs/auditor/10.8/admin/alertsettings/dashboard.md
@@ -0,0 +1,53 @@
+---
+title: "Alerts Overview Dashboard"
+description: "Alerts Overview Dashboard"
+sidebar_position: 10
+---
+
+# Alerts Overview Dashboard
+
+Aggregated statistics on the alerts is provided in the Alerts overview widget. It displays currently
+triggered alerts with detailed information.
+
+To view the dashboard, on the main Auditor page, click the Alerts tile.
+
+The dashboard includes the following widgets:
+
+- Alerts triggered – Shows amount of alerts triggered for the last 7 days (by default). Use this
+ tile to inspect the trend.
+- Top 5 alerts by count – Shows most recently triggered alerts for the selected time period (7 days
+ by default).
+- Risk score by top 5 users – Shows potentially harmful users for the selected time period (7 days
+ by default). Clicking the tile opens the Behavior Anomalies dashboard. See the
+ [Behavior Anomalies](/docs/auditor/10.8/admin/behavioranomalies/overview.md) topic for additional information.
+- Alerts timeline – Shows the number of alerts triggered at the specific day.
+- Recent alerts – Shows all the triggered alerts in chronological order.
+
+
+
+Clicking any tile except for Risk score by top 5 users drills down to the Alert history dashboard
+that provides users with the detailed information about the latest alerts triggered in their IT
+infrastructure enriched with the actionable chart and timeline.
+
+
+
+Review detailed information about the triggered alerts and change anomaly status. See the
+[Review User Profiles and Process Anomalies](/docs/auditor/10.8/admin/behavioranomalies/userprofile.md) topic for
+additional information.
+
+On the Details pane, you can review alert details and manage your alerts:
+
+- Select columns – Select columns to be displayed.
+- Show reviewed alerts – Click to view all alerts you have already reviewed.
+- Mark all as reviewed – Click to mark all alerts in the list as reviewed. Netwrix recommends doing
+ this only if you are completely sure that there are no critical alerts in your infrastructure.
+- Edit alerts settings – Click to modify settings of the selected alert. See the
+ [Create Alerts](/docs/auditor/10.8/admin/alertsettings/create/create.md) topic for additional information.
+- Show activity record in new window – Click to view more information about the activity record that
+ triggered an alert. See the
+ [Activity Records Statistics](/docs/auditor/10.8/admin/healthstatus/dashboard/activityrecordstatistics.md) topic for
+ additional information.
+
+You can also refresh the alerts information by clicking the Refresh button at the bottom or go to
+the general alerts settings page clicking the Alert settings. See the [Manage Alerts](/docs/auditor/10.8/admin/alertsettings/manage.md)
+topic for additional information.
diff --git a/docs/auditor/10.8/admin/alertsettings/manage.md b/docs/auditor/10.8/admin/alertsettings/manage.md
new file mode 100644
index 0000000000..ff96c55e33
--- /dev/null
+++ b/docs/auditor/10.8/admin/alertsettings/manage.md
@@ -0,0 +1,25 @@
+---
+title: "Manage Alerts"
+description: "Manage Alerts"
+sidebar_position: 30
+---
+
+# Manage Alerts
+
+For your convenience, Netwrix provides you with a set of predefined alerts that are commonly used
+for IT infrastructure monitoring. The out-of-the-box alerts include those that help you detect
+suspicious activity and inform you on critical changes to your environment. The alerts contain
+pre-configured filters and in most cases you only need to enable an alert and select who will
+receive notifications.
+
+You can add any elements (a dashboard, report, alert, risk, etc.) to the Auditor Home screen to
+access them instantly. See the [Navigation](/docs/auditor/10.8/admin/navigation/overview.md) and
+[Customize Home Screen](/docs/auditor/10.8/admin/navigation/customizehome.md) topics for additional information.
+
+| To... | Follow the steps... |
+| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Enable / disable an existing alert | **Step 1 –** Select an alert from the list and enable it using the slider in the Mode column. **Step 2 –** Double-click the selected alert and specify alert recipients or set a risk score want to include an alert in Behavior Anomalies assessment. You can go on with a score suggested by Netwrix industry experts or fine-tune it to fit your organization's priorities. See the [Risk Score](/docs/auditor/10.8/admin/alertsettings/create/create.md) topic for additional information on how to configure scoring settings. **Step 3 –** Review and update filters. For some alerts you should provide filter values, such as group name or user. |
+| Modify an existing alert | Select an alert from the list and click Edit. |
+| Create a new alert from existing | Select an alert from the list and click Duplicate at the bottom of the window. |
+| Remove an alert | Select an alert from the list and click  in the right pane. |
+| Find an alert | Use the Filter by tags option to find an alert by tags associated with this alert. _OR_ Use a search bar in the upper part of All Alerts window to find an alert by its name or tag. |
diff --git a/docs/auditor/10.8/admin/alertsettings/overview.md b/docs/auditor/10.8/admin/alertsettings/overview.md
new file mode 100644
index 0000000000..0dc4dc0bf8
--- /dev/null
+++ b/docs/auditor/10.8/admin/alertsettings/overview.md
@@ -0,0 +1,40 @@
+---
+title: "Alerts"
+description: "Alerts"
+sidebar_position: 70
+---
+
+# Alerts
+
+If you want to be notified about suspicious activity, you can configure alerts that will be
+triggered by specific events. Alerts are sent after the specified action has been detected. Alerts
+are helpful if you want to be notified about actions critical to your organization security and have
+to mitigate risks once the suspicious action occurs.
+
+Review the following to take advantage of the Alerts functionality:
+
+- See the[Manage Alerts](/docs/auditor/10.8/admin/alertsettings/manage.md) topic for additional information on how to edit and enable
+ existing predefined alerts, and create new alerts based on the predefined ones.
+- See the [Create Alerts](/docs/auditor/10.8/admin/alertsettings/create/create.md) topic for additional information on how to create custom alerts
+ with your personal filters.
+- If you need to be alerted on specific events in your Event Logs or non-owner mailbox access
+ attempts, see the [Create Alerts for Event Log](/docs/auditor/10.8/admin/alertsettings/create/createeventlog.md) and
+ [Create Alerts for Non-Owner Mailbox Access Events](/docs/auditor/10.8/admin/alertsettings/create/createmailboxaccess.md) topics for additional
+ information.
+
+The example alert is triggered when a new user is created in the monitored domain.
+
+
+
+## Tags
+
+Netwrix Auditor allows you to apply tags when creating an alert. Applying tags to alerts allows you
+to distinguish one alert from another or create groups of similar alerts.
+
+
+
+The Tags page contains a complete list of alerts that were created in the product. Currently, you
+cannot assign or create tags on this page.
+
+To apply tags to an alert, navigate to alert settings and locate the Apply tags section on the
+General tab. See the [Create Alerts](/docs/auditor/10.8/admin/alertsettings/create/create.md) topic to receive information about tags applying.
diff --git a/docs/auditor/10.8/admin/alertsettings/responseaction.md b/docs/auditor/10.8/admin/alertsettings/responseaction.md
new file mode 100644
index 0000000000..0c811d4ba0
--- /dev/null
+++ b/docs/auditor/10.8/admin/alertsettings/responseaction.md
@@ -0,0 +1,150 @@
+---
+title: "Configure a Response Action for Alert"
+description: "Configure a Response Action for Alert"
+sidebar_position: 40
+---
+
+# Configure a Response Action for Alert
+
+Upon the alert triggering, you can instruct Auditor to perform several actions such as run a
+command, a script or other executable file that will perform a remediation action, open a ticket
+with the organization help desk, etc.
+
+
+
+Response Action settings contain the following configuration options:
+
+- Take action when alert occurs - Toggle this setting to **On** to enable alert responses
+- Run – Indicates the location of the script file you want to run as your response action
+- With parameters – If your script contains parameters, specify them here
+- Working directory – If you need to specify a working directory for your script to perform the
+ operation, insert the path here
+- Write data to CSV file – If this checkbox is selected, Netwrix Auditor will save activity records
+ in a CSV file. You can use it to pass information into your response action to receive a more
+ targeted response.
+- Limit row count in a file to – Select the desired number of rows you want for the file
+- Use custom credentials – Enter the username and password if you want the script to be run as an
+ account different from LocalSystem
+- Command line preview – Showing a preview of the command line script. Click **Test run** button to
+ test its performance.
+
+Follow the steps to configure the required settings in the Response Action tab of the alert
+properties.
+
+**Step 1 –** Turn the switch to On if you want a response action to be taken when the alert occurs.
+
+**Step 2 –** In the Run field, specify the path to the executable file (_.exe_, ._cmd_, _.bat_; for
+_.ps1_ files see step 3 below). The file must be located on the machine where Netwrix Auditor server
+runs.
+
+**Step 3 –** In the With parameters field, enter the parameters to be used by the executable file.
+Use space character as a separator.
+
+**Step 4 –** To run _.exe_, _.cmd_ and _.bat_ files, you can enter the path to your command-line or
+batch file directly in the Run field, for example:
+
+
+
+To run the ._ps1_ files, you will need to enter the path to _powershell.exe_ and path to your
+script. For example:
+
+- In the Run field, enter _C:\Windows\system32\WindowsPowerShell\v1.0\powershell.exe_
+- In the With parameters field, enter `–File `
+
+
+
+Unless you select to Write data to CSV file, Auditor will also pass the following parameters to the
+command line:
+
+- _AlertID_ — alert ID
+- _RecordID_ — ID of the activity record that triggered the alert
+
+Selecting Write data to CSV file will change this behavior, as described in the Configure a Response
+Action for Alert section below.
+
+**Step 5 –** In the Working directory field, specify path to the working directory of the executable
+file on NAuditor server.
+
+**Step 6 –** In the Working directory field, specify path to the working directory of the executable
+file on NAuditor server.
+
+If you leave this field empty, then the path to the file specified in the Run field will be used as
+a working directory. As shown in the example with the _.ps_ file, this may be the system directory.
+So, to avoid system directory cluttering, it is recommended not to leave the Working directory field
+empty but to explicitly specify the directory where your executable file is located, or a dedicated
+directory for that purpose. In the latter case, make sure the directory exists on Auditor server.
+
+**Step 7 –** Write data to CSV file — select this option if you want Auditor to locate the activity
+records associated with the alert, and write the record fields and their values in a structured way
+to a ._csv_ file. For each new alert being created, this option is selected by default, as well as
+for the predefined alerts installed with Auditor.
+
+After the upgrade, all alerts with previously configured response action will have this option
+cleared.
+
+**Step 8 –** Limit row count in a file to `` — limit the number of rows (activity records) to be
+written to a single ._csv_ file. Enter a value from _1_ to _1000_.
+
+Learn more about how these options work in the Configure a Response Action for Alert section.
+
+By default, the executable file will be launched under the _LocalSystem_ account. If you want to use
+another account, select the Use custom credentials checkbox and specify user name and password. Make
+sure this account has **Log on as batch job** privilege.
+
+The resulting command line including executable file name and execution parameters will appear in
+the Command line preview.
+
+If you selected to **Write data to CSV file**, the command line will include
+_`{CsvFile_}`_, i.e. the file path. Alternatively, the command line will include _`{AlertID}`_ and _`{RecordID}`\_,
+i.e. related IDs
+
+**Step 9 –** Test run — if you click this button, the executable file will be run with the specified
+parameters on Netwrix Auditor server. This can be helpful, for example, if you want to ensure script
+operability before the related alert is triggered.
+
+As there is no actual alert triggering in this case, sample alert ID and sample activity record ID
+will be passed to the executable file. If you selected to write data to CSV file, a sample file will
+be created and populated with these sample IDs.
+
+To be able to perform the test run, current user account (logged on to Auditor client) must have
+local Administrator privileges on Auditor server where the executable file is located.
+
+After the test run, you will get a notification message with the exit code. Typical values are as
+follows:
+
+- **0** — the response action completed successfully
+- Any other value — the response action was not a success
+
+**_RECOMMENDED:_** Apply similar logic if you plan to use custom exit codes in your response action
+script.
+
+Same exit codes will be returned by response action regular runs.
+
+If the action is not a success (exit code is not 0), the program will try to perform response action
+again (up to 200 times) with increasing time interval.
+
+## Write Data to a CSV File
+
+To pass certain activity record fields to the executable file, you can instruct the program to write
+the fields and their values in a structured way to a CSV file.
+
+Here is an example of a CSV file structure:
+
+
+
+The number of activity records retrieved per every response action launch will be only limited by
+user (see below for details). If the number of records associated with the alert exceeds this limit,
+the program will create multiple CSV files, storing data in chunks.
+
+For example, if there are 50 records associated with the alert (e.g., “_Scanning threat is detected
+on network device_” alert), and the number of records for one CSV is set to 10, the program will
+create 5 CSV files, with 10 records in each chunk. Also notice that the response action will be
+launched once for every such chunk (5 times in this example), and will retrieve multiple activity
+records per launch (not more than the specified limit, i.e. 10 records in this example).
+
+A CSV file is named using the timestamp and GUID and stored in the subfolder of Netwrix Auditor
+working folder (by default, _%ProgramData%\Netwrix
+Auditor\AuditCore\AuditArchive\AlertsToolLauncher\Csv_). Note that a CSV file will exist only while
+the executable file is running – after the execution is completed, the CSV file will be deleted. So
+if you plan, for example, to obtain some data from that file for further processing, you may need to
+copy it to a permanent location in a timely manner, e.g., using a script.
diff --git a/docs/auditor/10.8/admin/behavioranomalies/_category_.json b/docs/auditor/10.8/admin/behavioranomalies/_category_.json
new file mode 100644
index 0000000000..72c2abed44
--- /dev/null
+++ b/docs/auditor/10.8/admin/behavioranomalies/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Behavior Anomalies",
+ "position": 80,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/behavioranomalies/dashboard.md b/docs/auditor/10.8/admin/behavioranomalies/dashboard.md
new file mode 100644
index 0000000000..e88f772e4b
--- /dev/null
+++ b/docs/auditor/10.8/admin/behavioranomalies/dashboard.md
@@ -0,0 +1,38 @@
+---
+title: "Review Behavior Anomalies Dashboard"
+description: "Review Behavior Anomalies Dashboard"
+sidebar_position: 10
+---
+
+# Review Behavior Anomalies Dashboard
+
+To review the Behavior Anomalies dashboard, process and filter anomalies in user profiles, you must
+be assigned the Global administrator or Global reviewer role in the product. See the
+[Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional
+information.
+
+You can add any elements (a dashboard, report, alert, risk, etc.) to the Auditor Home screen to
+access them instantly. See the [Navigation](/docs/auditor/10.8/admin/navigation/overview.md) and
+[Customize Home Screen](/docs/auditor/10.8/admin/navigation/customizehome.md) topics for additional information.
+
+To review the Behavior Anomalies dashboard:
+
+On the main Auditor page, click
+
+on the left.
+
+
+
+The dashboards includes the following sections:
+
+- The Risk score timeline that helps you review anomaly surges over time.
+- The Risk score by top five users chart that helps you identify the most active users. To see the
+ chart, click the pie chart icon in the upper left corner of the page.
+- The user list with all users who provoked alerts and their total risk scores.
+
+Once you reviewed the general anomaly trend and identified users that merit your special attention,
+review their profiles and process anomalies. Click View Profile next to a user name to dive into
+user activity and investigate each action in details.
+[Review User Profiles and Process Anomalies](/docs/auditor/10.8/admin/behavioranomalies/userprofile.md)
+
+[Review User Profiles and Process Anomalies](/docs/auditor/10.8/admin/behavioranomalies/userprofile.md)
diff --git a/docs/auditor/10.8/admin/behavioranomalies/overview.md b/docs/auditor/10.8/admin/behavioranomalies/overview.md
new file mode 100644
index 0000000000..e004464b5a
--- /dev/null
+++ b/docs/auditor/10.8/admin/behavioranomalies/overview.md
@@ -0,0 +1,50 @@
+---
+title: "Behavior Anomalies"
+description: "Behavior Anomalies"
+sidebar_position: 80
+---
+
+# Behavior Anomalies
+
+Netwrix Auditor enables you to detect behavior anomalies in your IT environment, such as activity
+surges or mass deletions of archived data. As you investigate suspicious activity and review
+incidents, you can identify intruders or in-house bad actors who keep violating your company's
+security policies.
+
+The behavior anomalies assessment extends the alerting functionality and provides both a high-level
+visualization and a detailed history of malicious user activity. While alerts notify you on a single
+or repetitive action almost immediately, the Behavior Anomalies dashboard accumulates this data over
+time and thus gives you the bird's eye view of activity patterns. With Behavior Anomalies, you can
+step beyond individual actions and investigate more complicated user behavior scenarios that might
+otherwise stay concealed for a long time.
+
+On a high level, your behavior anomalies assessment workflow can be described as follows:
+
+1. You create alerts on threat patterns specific to your company. You include these alerts in
+ Behavior Anomalies assessment and associate a risk score with each alert. The score, that is
+ between 1 and 100 points, reflects how critical the action is for your organization.
+ [Risk Score](/docs/auditor/10.8/admin/alertsettings/create/create.md)how to set a risk score for an alert.
+
+ Although Netwrix industry experts suggest risk scores for alerts that are provided
+ out-of-the-box, you can easily tailor these scores to your organization needs and priorities.
+ You can always adjust risk scores over time as you become more aware of behavior patterns and
+ anomalous actions in your environment.
+
+2. Each action that provokes an alert is treated as anomaly. Once the anomaly is detected, it
+ appears on a dashboard's timeline and its risk score is added to the user's total score.
+3. Every now and then, you review the Behavior Anomalies dashboard—the risk score timeline with
+ anomaly surges, and the most active users. The general rule of thumb is: the more risk score
+ points the user has the more he or she merits your attention.
+ [Review Behavior Anomalies Dashboard](/docs/auditor/10.8/admin/behavioranomalies/dashboard.md)
+4. To learn more about user activity, you can drill-down to a user profile to review all alerts
+ provoked by this user. As you review anomalies and mitigate risks, the user's total score
+ reduces. [Review User Profiles and Process Anomalies](/docs/auditor/10.8/admin/behavioranomalies/userprofile.md)
+
+The purpose of the dashboard is to keep risks low and help you spot and address issues as they
+occur. The risk score assigned to a user does not qualify him or her as a bad actor but rather
+brings your attention to behavior patterns. Depending on the role in your organization, users might
+have different safe levels while you should make your priority to review the anomalies on time, stay
+focused, and proactively mitigate risks.
+
+[ Using Behavior Anomaly Discovery](https://www.netwrix.com/using_behavior_anomaly_discovery.html)
+page on Netwrix website.
diff --git a/docs/auditor/10.8/admin/behavioranomalies/tips.md b/docs/auditor/10.8/admin/behavioranomalies/tips.md
new file mode 100644
index 0000000000..19581e80cb
--- /dev/null
+++ b/docs/auditor/10.8/admin/behavioranomalies/tips.md
@@ -0,0 +1,35 @@
+---
+title: "Behavior Anomalies Assessment Tips and Tricks"
+description: "Behavior Anomalies Assessment Tips and Tricks"
+sidebar_position: 30
+---
+
+# Behavior Anomalies Assessment Tips and Tricks
+
+This topic contains various frequently asked questions as well as tips and tricks you might find
+helpful when configuring scoring settings and reviewing behavior anomalies.
+
+- The user has a high score and keeps provoking same alerts almost every day.
+
+ Drill-down to the user profile and then click Show user activity. Review user actions and
+ compare them to his or her job responsibilities. Does the user seem trustworthy? Are there any
+ rights elevation or suspicious access attempts?
+
+ Try to review user tasks—you may find out that the anomaly the user keeps provoking is a genuine
+ part of his or her daily routine. For example, the office staff should not reset passwords for
+ other accounts while this is a basic task for a system administrator. In this case, review your
+ alert settings and exclude the user from the alert filters.
+
+- Everyone in organization has a huge score
+
+ Probably, you have configured too many alerts that turn behavior anomalies assessment into mess.
+ It takes some time to learn what matters most to your organization and get accustomed to setting
+ proper risk scores. Try to review your scoring settings regularly and adjust them when
+ necessary.
+
+- Is anyone who is charge of "Failed..." anomaly a bad actor?
+
+ Anyone can forget a password or accidentally try to access some data in a wrong folder. Such
+ users are not subject to immediate prosecution unless they do not provoke repetitive alerts. The
+ best practice is to review user profile after some time and check if there are any threat
+ patterns in user behavior.
diff --git a/docs/auditor/10.8/admin/behavioranomalies/userprofile.md b/docs/auditor/10.8/admin/behavioranomalies/userprofile.md
new file mode 100644
index 0000000000..0b0ce05370
--- /dev/null
+++ b/docs/auditor/10.8/admin/behavioranomalies/userprofile.md
@@ -0,0 +1,82 @@
+---
+title: "Review User Profiles and Process Anomalies"
+description: "Review User Profiles and Process Anomalies"
+sidebar_position: 20
+---
+
+# Review User Profiles and Process Anomalies
+
+The user profile enables you to investigate user behavior and take a closer look at anomalies.
+
+To view a user profile
+
+- On the Behavior Anomalies assessment dashboard, locate a user and click View Profile next to his
+ or her name.
+
+
+
+The user profile page contains the following sections:
+
+- User data with the name and the total risk score. Click Show user activity below the total risk
+ score, to launch the Interactive Search in a new window. Use it to see all user actions, including
+ those that were not treated as anomalies.
+- The Risk score timeline that demonstrates anomalous activity surges. Modify the timeframe to
+ narrow down the results.
+- The Risk score by top five alerts chart that outlines the most frequent anomalies provoked by
+ user. To see the chart, click the pie chart icon in the upper left corner of the page.
+- The anomalies list displays details for each anomaly: the alert that was triggered, the date and
+ time, the risk score and anomaly status.
+
+ Double-click an entry to see more details: who did what, when and where the action was made,
+ etc. Navigate to Linked actions and click Show user activity or Show this activity record to
+ invoke Interactive Search and see all user actions or a specific action correspondingly.
+
+Netwrix Auditor shows only the top 2,000 anomalies. Modify the timeframe or hide reviewed anomalies,
+and then click Refresh to see more anomalies.
+
+## Process Anomalies and Reduce Risk Score
+
+By default, the anomaly status is active and it indicates that the incident still requires some
+examination or is kept for further investigation. As you inspect anomalies and respond to threats,
+update statuses and add comments.
+
+To change an anomaly status
+
+1. Specify an anomaly from the list and click the Active link in the Status column.
+2. In the Change Status dialog, set the status to _"reviewed"_ and provide a justification.
+
+ You can add comments without changing a status. This might be helpful if the anomaly remains
+ active for a long period of time and you need even more time to examine it closely.
+
+
+
+Once the anomaly is reviewed, it disappears from the timeline and chart, and its associated risk
+score is taken from user's total score. The reviewed anomalies supplement the status with the
+reviewer name and date (e.g., _Reviewed by CORP\Administrator (10/02/2017 10:12:03 AM)_).
+
+You can always revert changes and assign the Active status back.
+
+To process all anomalies
+
+- In the Actions section, select Mark all as reviewed.
+
+In this case, all anomalies that are currently in view will be set to _"reviewed"_. Perform this
+operation only with a proper justification. Since Netwrix Auditor shows only the top 2,000
+anomalies, make sure to click Refresh to check if there are more anomalies to be reviewed.
+
+The anomalies that are excluded from view by filters are not affected by the Mark all as reviewed
+action.
+
+## Customize Anomalies List
+
+By default, all anomalies are in view. The Filters section helps you show or hide anomalies.
+
+Click Customize view and clear the checkboxes next to alert names, if you do not want to see
+anomalies associated with them.
+
+When you hide an alert from view, its associated anomalies will no longer be displayed on a
+timeline, chart, or in the list but the user total score will remain unchanged. Note that hidden
+anomalies cannot be reviewed in bulk with the Mark all as reviewed action.
+
+Hide reviewed anomalies enables you to modify the anomalies list so that you can focus on active
+anomalies only. To see reviewed anomalies, click Show reviewed anomalies.
diff --git a/docs/auditor/10.8/admin/compliancemappings.md b/docs/auditor/10.8/admin/compliancemappings.md
new file mode 100644
index 0000000000..3a24e44e4d
--- /dev/null
+++ b/docs/auditor/10.8/admin/compliancemappings.md
@@ -0,0 +1,16 @@
+---
+title: "Compliance Mappings"
+description: "Compliance Mappings"
+sidebar_position: 100
+---
+
+# Compliance Mappings
+
+This tile contains links to the practical guides on how to comply with different standards using
+Netwrix Auditor. The guides were prepared by Netwrix industry experts and contain full information
+about most popular compliance standards. Clicking the 'Learn more...' link under a desired standard
+opens the page on the Netwrix website. Here you can review a brief description of each compliance
+standard supported by the product and download E book containing detailed requirements for the
+standards.
+
+
diff --git a/docs/auditor/10.8/admin/healthstatus/_category_.json b/docs/auditor/10.8/admin/healthstatus/_category_.json
new file mode 100644
index 0000000000..299c75cb5b
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Netwrix Auditor Operations and Health",
+ "position": 110,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/healthstatus/dashboard/_category_.json b/docs/auditor/10.8/admin/healthstatus/dashboard/_category_.json
new file mode 100644
index 0000000000..3ec155dadf
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/dashboard/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Health Status Dashboard",
+ "position": 10,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/healthstatus/dashboard/activityrecordstatistics.md b/docs/auditor/10.8/admin/healthstatus/dashboard/activityrecordstatistics.md
new file mode 100644
index 0000000000..45a46a6e17
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/dashboard/activityrecordstatistics.md
@@ -0,0 +1,26 @@
+---
+title: "Activity Records Statistics"
+description: "Activity Records Statistics"
+sidebar_position: 10
+---
+
+# Activity Records Statistics
+
+Aggregated statistics on the activity records is provided in the Activity records by date widget.
+The chart shows the number of activity records produced by your data sources, collected and saved by
+Netwrix Auditor during the last 7 days. This data can help you to assess the activity records
+generation intensity in your IT infrastructure, and product load.
+
+After you click View details, the Activity Records Statistics window will be displayed.
+
+
+
+By default, statistics on activity records processing is grouped by Monitoring plan and presented
+for the Last 7 days. To modify the timeframe, use the drop-down list in the upper right corner.
+
+Other fields provide the following information: data source that produces activity records, with
+date and time of the last collected record, and the overall number of records collected and uploaded
+to the corresponding Audit database during the specified timeframe.
+
+If the data sources processed by a monitoring plan did not produce any activity records during the
+specified timeframe, this monitoring plan will not appear in the list.
diff --git a/docs/auditor/10.8/admin/healthstatus/dashboard/databasestatistics.md b/docs/auditor/10.8/admin/healthstatus/dashboard/databasestatistics.md
new file mode 100644
index 0000000000..a27b837221
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/dashboard/databasestatistics.md
@@ -0,0 +1,62 @@
+---
+title: "Database Statistics"
+description: "Database Statistics"
+sidebar_position: 40
+---
+
+# Database Statistics
+
+Databases may tend to run out of free space due to poor capacity provisioning or to retention
+settings not configured properly. Use the Database statistics widget to examine database size and
+adjust retention accordingly. The widget displays the name of default SQL Server instance hosting
+all Netwrix Auditor databases, the overall database capacity at the moment and its change over the
+last day (24 hours).
+
+Transaction logs size is not included in the calculations.
+
+After you click View details, the following information will be displayed for the specified SQL
+Server instance:
+
+
+
+The Database name column contains the list of Netwrix Auditor databases hosted by the specified
+instance of the SQL Server:
+
+- Special databases are created automatically on the default SQL Server instance to store:
+ - alerts—_Netwrix_AlertsDB_ database
+ - activity records collected using Integration API—_Netwrix_Auditor_API_ database
+ - internal event records—_Netwrix_Auditor_EventLog_ database
+ - data collected by Netwrix Auditor self-audit—_Netwrix_Self_Audit_ database
+ - data needed for overview reports generation—_Netwrix_OverviewReportsDB_
+- To store data from the data sources included in the monitoring plan, dedicated Audit databases are
+ created and named by user (default name format is _Netwrix_Auditor_``\_)
+
+The following capacity metrics are displayed for each database:
+
+- **State**—database state summary
+- **Size**—current database size (logs are not included)
+- **Activity records**—number of the activity records stored in the database at the moment
+
+After you expand the database node, the detailed database properties will be shown:
+
+
+
+These properties are as follows:
+
+| Property | Possible Values | Description |
+| -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------ |
+| Size limit | _``_ | For SQL Server Express Edition–shows database size limitations |
+| Unlimited | | |
+| State description | OK | Database is operating properly. |
+| Capacity error | Database is running low on disk space. -OR- Size limit for SQL Server Express Edition will be reached soon (threshold is 500 MB, i.e. 5% of 10 GB limit remaining). | |
+| Failed to store data | Failed to store data to the database due to some issues. | |
+| Unavailable | Failed to connect to the database. | |
+| Upgrade in progress | Database is being upgraded. | |
+| Monitoring plans | _``_ | All monitoring plans for which this database is a target. Usually it is recommended to configure a dedicated database for each plan. |
+
+You can use the Search field, or apply a filter to display the information you need. For example, in
+the Apply Filters dialog you can select the Show only plans with issues to display only the
+monitoring plans that require attention and corrective actions.
+
+This information will help you to troubleshoot the product operation, detect and eliminate the root
+cause of the monitoring errors, providing for auditing continuity and compliance.
diff --git a/docs/auditor/10.8/admin/healthstatus/dashboard/healthlog.md b/docs/auditor/10.8/admin/healthstatus/dashboard/healthlog.md
new file mode 100644
index 0000000000..14fbc5d956
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/dashboard/healthlog.md
@@ -0,0 +1,92 @@
+---
+title: "Netwrix Auditor Health Log"
+description: "Netwrix Auditor Health Log"
+sidebar_position: 30
+---
+
+# Netwrix Auditor Health Log
+
+Daily summary of the Netwrix Auditor health log is displayed in the Health log widget. The chart
+shows how many events with different severity levels were written to the product health log in the
+last 24 hours. To open the health log, click the **Open Health Log** link in the Health Status
+dashboard. See the topic for additional information.
+
+If you want to clear Netwrix Auditor Health Log, son the computer where Auditor Server is installed,
+navigate to **EventViewer** -> **Application and Services Logs** and locate the **Netwrix Auditor
+System Health log**. Then, follow the instructions provided by Microsoft. See the Microsoft article
+for additional information on
+[How to Clear Event Logs](https://learn.microsoft.com/en-us/host-integration-server/core/how-to-clear-event-logs1).
+
+
+
+## Netwrix Auditor System Health Log
+
+When an error occurs, a system administrator or support engineer must determine what caused this
+error and prevent it from recurring. For your convenience, Auditor records important events in the
+proprietary Netwrix Auditor **System Health** event log.
+
+You can review events directly in the product:
+
+- When issues encountered during data collection, click Details... in the Status column and select
+ View Health Log.
+
+ OR
+
+- In the main screen, in the Configuration section click the Health status tile, then in the Health
+ log dashboard widget click Open health log.
+
+You can also inspect the log in the Event Viewer.
+
+There are three types of events that can be logged:
+
+| Event Type | Description |
+| ----------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Information | An event that describes the successful operation beginning or completion. For example, the product successfully completed data collection for a monitoring plan. |
+| Warning | An event that is not necessarily significant, but may indicate a possible future problem. For example, the product failed to process a domain controller. |
+| Error | An event that indicates a significant problem such as loss of data or loss of functionality. For example, the product failed to retrieve settings for your data source. |
+
+Review the following:
+
+- Inspect Events in Health Log
+
+If you want to monitor Auditor health status in more depth, you can do the following:
+
+- Create a monitoring plan for this log using Event Log Manager to collect activity data. See the
+ Health Status overview for additional information.
+- Configure alerts triggered by specific events in the product's health log.
+ [Create Alerts on Health Status](/docs/auditor/10.8/admin/alertsettings/create/createhealthstatus.md)
+
+## Inspect Events in Health Log
+
+Follow the steps o inspect events in Netwrix Auditor health log
+
+**Step 1 –** On the main Auditor page, select the Health status tile, then in the Health log
+dashboard widget click Open health log.
+
+**Step 2 –** Select an entry to review it in details. You can also copy event details. Select the
+event in the list and click Copy details at the bottom of the window.
+
+For your convenience, Auditor provides you with filters so that you can narrow down the number of
+events on the screen and focus on those that matter most. For example, warnings on failed data
+collection or events of an important monitoring plan.
+
+### Filter Events
+
+Follow the steps to filter events.
+
+**Step 1 –** Select Filters in the upper part of the Netwrix Auditor Health Log window.
+
+**Step 2 –** Complete the following fields:
+
+| Option | Description |
+| --------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Logged | Specify event logging time period (date range, yesterday, etc.). |
+| Event level | Select level of the events that you want to be displayed. |
+| Event source | Select services and applications whose events you want to view. |
+| Monitoring plan | Select to display events from one or several monitoring plans. |
+| Item name | Select to display events from the certain item(s) you need. |
+| Event ID | Enter event ID number or range of event IDs separated by commas. For example, 1, 3, 5-99. You can also exclude unwanted event IDs from being displayed. Type the minus sign before selected event ID. For example, -76. |
+
+
+
+The applied filters will be listed on the top of the screen under the window title.
diff --git a/docs/auditor/10.8/admin/healthstatus/dashboard/monitoringoverview.md b/docs/auditor/10.8/admin/healthstatus/dashboard/monitoringoverview.md
new file mode 100644
index 0000000000..7598d4122c
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/dashboard/monitoringoverview.md
@@ -0,0 +1,47 @@
+---
+title: "Monitoring Overview"
+description: "Monitoring Overview"
+sidebar_position: 20
+---
+
+# Monitoring Overview
+
+Aggregated statistics on the monitoring plans is provided in the Monitoring overview widget. It
+displays current statuses of all monitoring plans:
+
+- Ready (green indicator)—The monitoring plans (one or several) successfully processed the data
+ sources with all their items and are ready for the next run.
+- Pay attention (yellow indicator)—The monitoring plans (one or several) require your attention, as
+ some items were not processed completely but only partially. This status applies to the monitoring
+ plans targeted at Logon Activity and Windows File Server. See the table below for details.
+- Take action (red indicator)—Any data source or item in the monitoring plan (one or several) was
+ processed with errors.
+
+After you click View details, the Monitoring Overview window will be displayed.
+
+
+
+It provides the hierarchical list of monitoring plans, processed data sources and corresponding
+items with their current status and date/time of the last data processing session. For data sources
+and items their current status is depicted as follows:
+
+| Entity | Status | Description |
+| --------------- | ------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Data source | Disabled | A data source can be disabled manually via its settings (by switching Monitor this data source and collect activity data to OFF), or automatically, if the license is not valid any more (for example, the count of licensed objects was exceeded, or the trial period has expired). |
+| Empty | No items have been added to this data source yet. | |
+| Enabled | Monitor this data source and collect activity data is set to ON in the data source settings. | |
+| Not available | The monitoring plan is corrupted and cannot process its data sources, so it is recommended to remove it and create anew. | |
+| Not responding | Data collector for this data source is not responding. The underlying items will not be displayed for such data source. | |
+| Working | The data source is being processed at the moment. | |
+| (not displayed) | The data source status is unknown. | |
+| Item | Pay attention | The item was processed with some issues (non-critical). This status applies to the monitoring plans targeted at Logon Activity and Windows File Server. It means that data collection from at least one entity completed with errors. For example, a MyFileServer item included in the File Server monitoring plan contains all CIFS shares hosted on the MyFileServer computer. If any of these shares was processed with errors while others were processed successfully, the processing of the whole MyFileServer item will be considered partially completed, and the monitoring plan will have a yellow indicator, requiring your attention. Click the Details link to examine the product log. |
+| Ready | The item was processed successfully and is ready for the next run of data collection. | |
+| Take action | Critical error(s) occurred while processing this item. Click the Details link to examine the product log. | |
+| Working | The item is being processed at the moment. | |
+
+You can use the Search field, or apply a filter to display the information you need. For example, in
+the Apply Filters dialog you can select the Show only plans with issues to display only the
+monitoring plans that require attention and corrective actions.
+
+This information will help you to troubleshoot the product operation, detect and eliminate the root
+cause of the monitoring errors, providing for auditing continuity and compliance.
diff --git a/docs/auditor/10.8/admin/healthstatus/dashboard/overview.md b/docs/auditor/10.8/admin/healthstatus/dashboard/overview.md
new file mode 100644
index 0000000000..189709ccf8
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/dashboard/overview.md
@@ -0,0 +1,46 @@
+---
+title: "Health Status Dashboard"
+description: "Health Status Dashboard"
+sidebar_position: 10
+---
+
+# Health Status Dashboard
+
+New Health Status dashboard facilitates Auditor maintenance and troubleshooting tasks, providing IT
+specialists with at-a-glance view on the most critical factors: data collection performance, product
+health and storage capacity. The dashboard comprises a set of widgets that display the status of
+these aspects using aggregated statistics and charts. Nearly each widget allows you to drill down to
+the detailed information on the aspect you are interested in.
+
+To view the dashboard, on the main Auditor page, click the Health status tile located in the
+Configuration section.
+
+The dashboard includes the following widgets:
+
+- The Activity records by date chart—Shows the number of activity records produced by your data
+ sources, collected and saved by Netwrix Auditor during the last 7 days. See the
+ [Activity Records Statistics](/docs/auditor/10.8/admin/healthstatus/dashboard/activityrecordstatistics.md) topic for additional information.
+- The Monitoring overview widget—Shows aggregated statistics on the statuses of all monitoring plans
+ configured in Netwrix Auditor at the moment. See the [Monitoring Overview](/docs/auditor/10.8/admin/healthstatus/dashboard/monitoringoverview.md)
+ topic for additional information.
+- The Health log chart—Shows the statistics on the events written in the Netwrix Auditor health log
+ in the last 24 hours. Click the link in this widget to view the log. See the
+ [Netwrix Auditor Health Log](/docs/auditor/10.8/admin/healthstatus/dashboard/healthlog.md) topic for additional information.
+- The Database statistics widget—Helps you to estimate database capacity on the default SQL Server
+ instance that hosts the product databases. See the [Database Statistics](/docs/auditor/10.8/admin/healthstatus/dashboard/databasestatistics.md)
+ topic for additional information.
+- The Long-Term Archive widget—Helps you to estimate the capacity of the Long-Term Archive
+ file-based storage. To modify its settings, including location and retention, click the link in
+ this widget. See the [System Health](/docs/auditor/10.8/requirements/longtermarchive.md#system-health) topic
+ for additional information.
+- The Working Folder widget—Helps you to estimate the capacity of the Auditor working folder used to
+ keep operational information (configuration files of the product components, log files, and other
+ data) on the Auditor Server. See the
+ [System Health](/docs/auditor/10.8/requirements/longtermarchive.md#system-health) topic for additional
+ information.
+
+
+
+You can also instruct Netwrix Auditor to forward similar statistics as a health summary email to
+personnel in charge. For that, click Notification settings, then follow the steps described in the
+[Notifications](/docs/auditor/10.8/admin/settings/notifications.md) topic.
diff --git a/docs/auditor/10.8/admin/healthstatus/networktrafficcompression.md b/docs/auditor/10.8/admin/healthstatus/networktrafficcompression.md
new file mode 100644
index 0000000000..68acf607bf
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/networktrafficcompression.md
@@ -0,0 +1,43 @@
+---
+title: "Network Traffic Compression"
+description: "Network Traffic Compression"
+sidebar_position: 40
+---
+
+# Network Traffic Compression
+
+To reduce network traffic in distributed deployments, multi-site networks and other environments
+with remote locations that have limited bandwidth, it is recommended to use network traffic
+compression. For that purpose, special Netwrix utilities should be installed in the audited
+environment. These utilities will run on the target computers (depending on your monitoring plan),
+collect, pre-filter data and send it to Auditor Server in a highly compressed format.
+
+With network traffic compression, data from the target machines is collected simultaneously,
+providing for network load balance and minimizing data collection time. (Unlike that, without
+network traffic compression the target machines will be processed sequentially, i.e. one at a time.)
+So, network traffic compression helps to increase scalability and optimize network traffic.
+
+Its key capabilities are as follows:
+
+- Allows Auditor to collect detailed metrics for the servers, log files, hardware and individual
+ processes
+- Collects audit data with no recognizable load on the server
+- Communicates with Netwrix Auditor Server at predefined intervals, relaying data back to a central
+ repository for storage
+
+Network traffic compression is available for the following data sources:
+
+- Active Directory
+- Exchange
+- File Servers
+- Dell
+- NetApp
+- Windows Server
+- Event Logs
+- Group Policy
+- Logon Activity
+- SharePoint
+- User Activity
+
+To learn how to enable this feature, refer to the
+[Create a New Monitoring Plan](/docs/auditor/10.8/admin/monitoringplans/create.md) topic for additional information.
diff --git a/docs/auditor/10.8/admin/healthstatus/overview.md b/docs/auditor/10.8/admin/healthstatus/overview.md
new file mode 100644
index 0000000000..bb92e28da6
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/overview.md
@@ -0,0 +1,15 @@
+---
+title: "Netwrix Auditor Operations and Health"
+description: "Netwrix Auditor Operations and Health"
+sidebar_position: 110
+---
+
+# Netwrix Auditor Operations and Health
+
+This topic describes how you can monitor Auditor operations, health and resource usage. See the
+following topics for additional information:
+
+- [Health Status Dashboard](/docs/auditor/10.8/admin/healthstatus/dashboard/overview.md)
+- [Self-Audit](/docs/auditor/10.8/admin/healthstatus/selfaudit.md)
+- [Health Summary Email](/docs/auditor/10.8/admin/healthstatus/summaryemail.md)
+- [Netwrix Auditor Health Log](/docs/auditor/10.8/admin/healthstatus/dashboard/healthlog.md)
diff --git a/docs/auditor/10.8/admin/healthstatus/selfaudit.md b/docs/auditor/10.8/admin/healthstatus/selfaudit.md
new file mode 100644
index 0000000000..28b012d747
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/selfaudit.md
@@ -0,0 +1,70 @@
+---
+title: "Self-Audit"
+description: "Self-Audit"
+sidebar_position: 20
+---
+
+# Self-Audit
+
+Built-in Netwrix Auditor self-audit allows you to track changes to the product configuration,
+including monitoring plans, data sources, audit scope and details about it (before-after values).
+This helps you to ensure that monitoring scope is complete and changed only in line with the
+workflows adopted by our organization.
+
+The corresponding option is available on the General tab of Netwrix AuditorSettings. By default, the
+**Collect data for self-audit checkbox** is selected (enabled).
+
+
+
+### Search for Self-audit Results
+
+All Auditor self-audit Activity Records can be found quickly using AuditIntelligence Search.
+
+Follow the steps to search for self-audit results.
+
+**Step 1 –** In Auditor, navigate to Search.
+
+**Step 2 –** Set the Data source filter to **Self-audit**.
+
+**Step 3 –** Click Search to review results:
+
+
+
+**NOTE:** After reviewing your search results, apply filters to narrow your data. See the
+[View Reports](/docs/auditor/10.8/admin/reports/view.md) topic for additional information.
+
+**Step 4 –** After browsing your data, navigate to Tools to use the search results as intended. See
+the [View and Search Collected Data](/docs/auditor/10.8/admin/search/overview.md) topic for additional information.
+
+### Review Auditor Self-Audit Report
+
+Also, there is a new Netwrix Auditor Self-Audit report available under Organization Level Reports in
+the predefined set of reports. This report shows detailed information on changes to Auditor
+monitoring plans, data sources and audited items.
+
+Follow the steps to review the Self-audit report.
+
+**Step 1 –** In Auditor, navigate to Reports > Organization Level Reports.
+
+**Step 2 –** Select the Netwrix Auditor Self-Audit report and click View.
+
+
+
+## Netwrix Auditor Self-Audit Scope
+
+Review the full list of components and settings captured within Netwrix Auditor self-audit scope.
+
+| Object type | Action | What | Details |
+| -------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------- |
+| Local logon | - Successful Logon - Logoff | - Netwrix Auditor server name | - |
+| Remote logon | - Successful Logon - Logoff | - Netwrix Auditor server name | - |
+| Netwrix Auditor global settings | - Modified | - Self-audit settings - Usage statistics collection settings - Tags - Audit database settings - Long-term archive settings - Data import for investigations - Notification settings - Integration API settings - License settings - Check for update settings | - Self audit (enabled / disabled) - Settings changed |
+| Monitoring plan | - Added - Modified - Removed | - Monitoring plan name | - Monitoring plan path changed - Role assignments (added / removed) - Activity Summary recipients (added / removed) - Settings changed |
+| Data source | - Added - Modified - Removed | - Monitoring plan name \ Data source name | - Monitoring status (enabled / disabled) - Settings changed |
+| Item | - Added - Modified - Removed | - Monitoring plan name \ Data source name \ Item name | - Item name changed - Settings changed |
+| Alert | - Added - Modified - Removed | - Alert name | - Name changed - Mode (enabled / disabled) - Alert recipients (added / removed) - Settings changed |
+| Monitoring plans folder | - Added - Modified - Removed | - All Monitoring Plans \ Folder name | - Name changed - Role assignments (added / removed) |
+| Monitoring plans root folder | - Modified | - All Monitoring Plans | - Role assignment (added / removed) |
+| Custom search-based report | - Added - Modified - Removed | - Report name | - Name changed - Settings changed |
+| - Subscription to custom search-based report - Subscription to overview reports - Subscription to SSRS-based report - Subscription to risk assessment overview | - Added - Modified - Removed | - Subscription name | - Name changed - Mode (enabled / disabled) - Subscription recipients (added / removed) - Settings changed |
+| Configuration integrity | - Added - Modified | - Configuration data - Configuration integrity state | - Alerts, saved searches, subscriptions, etc. |
diff --git a/docs/auditor/10.8/admin/healthstatus/summaryemail.md b/docs/auditor/10.8/admin/healthstatus/summaryemail.md
new file mode 100644
index 0000000000..8ed69815f9
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/summaryemail.md
@@ -0,0 +1,24 @@
+---
+title: "Health Summary Email"
+description: "Health Summary Email"
+sidebar_position: 30
+---
+
+# Health Summary Email
+
+Auditor Health Summary email includes all statistics on the product operations and health for the
+last 24 hours; it also notifies you about license status. By default, this email is generated daily
+at 7:00 AM and delivered to the recipient specified in the
+[Notifications](/docs/auditor/10.8/admin/settings/notifications.md) settings. Email content is very similar to data
+presented in the [Health Status Dashboard](/docs/auditor/10.8/admin/healthstatus/dashboard/overview.md).
+
+For greater usability, to depict overall product health state, the email includes a color indicator
+in the topmost section: green means Auditor had no issues while auditing your IT infrastructure, and
+red means there were some problems that require your attention.
+
+The email looks like shown below:
+
+
+
+The Monitoring Overview section of the email provides detail information only for the monitoring
+plans with issues. Successfully completed monitoring plans are not included.
diff --git a/docs/auditor/10.8/admin/healthstatus/troubleshooting.md b/docs/auditor/10.8/admin/healthstatus/troubleshooting.md
new file mode 100644
index 0000000000..71902a7bb0
--- /dev/null
+++ b/docs/auditor/10.8/admin/healthstatus/troubleshooting.md
@@ -0,0 +1,39 @@
+---
+title: "Troubleshooting"
+description: "Troubleshooting"
+sidebar_position: 50
+---
+
+# Troubleshooting
+
+This section provides instructions on how to troubleshoot issues that you may encounter while using
+Netwrix Auditor.
+
+If your issue is not listed in the table below, try searching
+[Netwrix Knowledge Base](https://helpcenter.netwrix.com/).
+
+If you need assistance from the Technical Support team, you can open a ticket using the Customer
+portal as described in the Creating a ticket with Customer portal section.
+
+| Issue | Reason and solution |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| I cannot connect/logon to Auditor. | 1. You may have insufficient permissions. Contact your Auditor Global administrator to make sure that your account is delegated control of the product. 2. You are trying to connect to a remote Auditor specified by its IP address while the NTLM authentication is disabled. Try specifying a server by its name (e.g., EnterpriseWKS). |
+| I do not receive any results while searching audit data or generating reports, or I am sure that some data is missing. | 1. No changes were detected. 2. You do not have sufficient permissions to review intelligence data. Contact your Global administrator. 3. Review your filter settings and make sure that your filters are properly configured. Try modifying your search. 4. You are looking for changes that occurred more than 180 days ago. These changes are no longer available for reporting and running searches. Ask your Auditor Global administrator to import audit data for a required date range from the Long-Term Archive. 5. Data collection for this monitoring plan might not have been launched two times yet or there was no data collection after this change; therefore, audit data has not been written to the Audit Database yet. 6. Some settings in Auditor are configured incorrectly. Contact your Auditor administrator to make sure that: - The monitoring plan you want to audit is properly configured, and the monitoring is enabled for each data source individually. - Audit Database settings are properly configured for each data source individually and Disable security intelligence and make data available only in activity summaries is cleared. Netwrix recommends to store all audit data on the same default SQL Server instance. |
+| "No plans found" text in the Monitoring plan field. | Contact your Auditor Global administrator or Configurator to make sure that the monitoring plans exist and are properly configured. |
+| I see a blank window instead of a report. | Contact your Auditor Global administrator to make sure that you are granted sufficient permissions on the Report Server. To view reports in a web browser - Open a web browser and type the Report Manager URL (found under Settings>**Audit Database**). In the page that opens, navigate to the report you want to generate and click the report name. You can modify the report filters and click View Report to apply them. |
+| I configured report subscription to be uploaded to a file server, but cannot find it / cannot access it. | Subscriptions can be uploaded either to a file share (e.g., _\\filestorage\reports_) or to a folder on the computer where Auditor Server is installed. To access these reports, you must be granted the Read permission. |
+| When trying to collect event data from Active Directory domain, an error message like this appears in Netwrix Health Log: _Monitoring Plan: `` The following error has occurred while processing '``': Error collecting the security log of the domain ``. Failed to process the domain controller `` due to the following error: The service cannot be started, either because it is disabled or because it has no enabled devices associated with it_. | This may happen due to Secondary Logon Service disabled state. To collect event data from the domain, this service must be up and running. Open its properties and start the service. |
+| The 'Workstation' field in search, reports, and Activity Summary is reported as 'unknown' | For the full list of possible reasons, please refer to the following Netwrix Knowledge Base article: [Why is the "Workstation" field reported as "unknown"?](https://helpcenter.netwrix.com/bundle/z-kb-articles-salesforce/page/kA00g000000H9VdCAK.html) |
+
+## Creating a ticket with Customer portal
+
+1. Sign in at [https://www.netwrix.com/my_tickets.html](https://www.netwrix.com/my_tickets.html).
+2. You can search or browse through the Knowledge Base articles here, or click **Create New
+ Ticket**:
+
+ 
+
+3. Fill in the form, describing the issue, and click **Open a ticket**.
+4. After that, you will be able to attach the files you need (screenshots, emails, reports, etc.).
+
+
diff --git a/docs/auditor/10.8/admin/monitoringplans/_category_.json b/docs/auditor/10.8/admin/monitoringplans/_category_.json
new file mode 100644
index 0000000000..3e533dc4dd
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Monitoring Plans",
+ "position": 30,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/monitoringplans/activedirectory/_category_.json b/docs/auditor/10.8/admin/monitoringplans/activedirectory/_category_.json
new file mode 100644
index 0000000000..57ae191a59
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/activedirectory/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Active Directory",
+ "position": 40,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/monitoringplans/activedirectory/overview.md b/docs/auditor/10.8/admin/monitoringplans/activedirectory/overview.md
new file mode 100644
index 0000000000..89da8d3ddf
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/activedirectory/overview.md
@@ -0,0 +1,154 @@
+---
+title: "Active Directory"
+description: "Active Directory"
+sidebar_position: 40
+---
+
+# Active Directory
+
+**NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in
+the following topics:
+
+- [Protocols and Ports Required](/docs/auditor/10.8/requirements/ports.md) – To ensure successful data
+ collection and activity monitoring configure necessary protocols and ports for inbound and
+ outbound connections
+- [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to
+ audit your IT systems
+
+- [Active Directory](/docs/auditor/10.8/configuration/activedirectory/overview.md) – Configure data source as
+ required to be monitored
+
+Complete the following fields:
+
+| Option | Description |
+| -------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General | |
+| Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. |
+| Monitor Active Directory partitions | Select which of your Active Directory environment partitions you want to audit. By default, Auditor only tracks changes to the Domain partition and the Configuration partition of the audited domain. If you also want to audit changes to the Schema partition, or to disable auditing of changes to the Configuration partition, select one of the following: - Domain—Stores users, computers, groups and other objects. Updates to this partition are replicated only to domain controllers within the domain. - Configuration—Stores configuration objects for the entire forest. Updates to this partition are replicated to all domain controllers in the forest. Configuration objects store the information on sites, services, directory partitions, etc. - Schema—Stores class and attribute definitions for all existing and possible Active Directory objects. Updates to this partition are replicated to all domain controllers in the forest. You cannot disable auditing the Domain partition for changes. |
+| Detect additional details | Specify additional information to include in reports and activity summaries. Select Group membershipif you want to include Group membership of the account under which the change was made. |
+| Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. |
+| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Active Directory](/docs/auditor/10.8/configuration/activedirectory/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. |
+| Collect data for state-in-time reports | Configure Auditor to store daily snapshots of your Active Directory domain configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.8/admin/reports/types/stateintime/overview.md) topic for additional information. The product updates the latest snapshot on the regular basis to keep users up-to-date on actual system state. Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database. For that, in the Manage historical snapshots section, click **Manage** and select the snapshots that you want to import. To import snapshots, you must be assigned the Global administrator or the Global reviewer role . Move the selected snapshots to the Snapshots available for reporting list using the arrow button. When finished, click **OK**. |
+| Users | |
+| Specify monitoring restrictions | Specify user accounts to exclude from data collection (and, therefore, search results, reports and Activity Summaries). To add a user to the exclusion list, click Add, then provide the user name in the _domain\user_ format. Consider the following: - Use NetBIOS format for domain name: _mydomain_ - Some audit data (events) may contain _System_ as the user (initiator) account name. To exclude such data, specify "_System_" when adding a user name here. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.8/admin/monitoringplans/overview.md)topic for additional information. |
+| Objects | |
+| Specify monitoring restrictions | Specify restrictions for the objects to monitor in your Active Directory. Use them to create the lists of specific objects to include and / or exclude from the monitoring scope (and, therefore, search results, reports and Activity Summaries). The following options are available: - Monitor all objects - **Include these objects** - **Exclude these objects** To create a list of inclusions / exclusions, click Add and enter object path using one of the following formats: - Canonical name, for example: _mydomain.local/Computers/filesrv01_ OR - Object path as shown in the "_What_" column of reports and search results, for example: _\local\mydomain\Computers\filesrv01_ You can use a wildcard (\*) to replace any number of characters in the path. See the examples below for more information. |
+
+
+
+Examples
+
+The following examples explain how the exclusion rules work. Same logic applies to the inclusion
+rules.
+
+- _dc11.local/OU_ will exclude the OU itself. However, objects within this OU will not be excluded.
+- _dc11.local/OU/\*_ will exclude objects within the OU. However, the OU itself will not be
+ excluded.
+- _dc11.local/OU\*_ will exclude the OU itself, all objects within it, and also all objects whose
+ path begins with _dc11.local/OU_ (like _dc11.local/OU_HQ_).
+
+So, with the settings as in the screenshot above, the program will monitor all objects within the
+_OU_, except for the objects whose path begins with _enterprise.local/OU/BO_. The OU itself,
+however, will not be monitored, meaning that, for example, its renaming will not be reported.
+
+In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more
+granular audit data. Note that the new monitoring scope restrictions apply together with previous
+exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.8/admin/monitoringplans/overview.md)topic
+for additional information.
+
+## Enable Auditing of Active Directory Partitions
+
+This topic applies to auditing Active Directory only.
+
+Active Directory environment consists of the following directory partitions:
+
+- Domain partition — Stores users, computers, groups and other objects. Updates to this partition
+ are replicated only to domain controllers within the domain.
+- Configuration partition — Stores configuration objects for the entire forest. Updates to this
+ partition are replicated to all domain controllers in the forest. Configuration objects store the
+ information on sites, services, directory partitions, etc.
+- Schema partition — Stores class and attribute definitions for all existing and possible Active
+ Directory objects. Updates to this partition are replicated to all domain controllers in the
+ forest.
+
+By default, Netwrix Auditor only tracks changes to the Domain partition and the Configuration
+partition of the audited domain. If you also want to audit changes to the Schema partition, or to
+disable auditing of changes to the Configuration partition do the following:
+
+You cannot disable auditing the Domain partition for changes.
+
+To enable auditing of the Configuration and Schema partitions
+
+- Navigate to All monitoring plans > your monitoring plan > Active Directory.
+- In the right pane, click **Configure**, next to Advanced Options.
+- In the Advanced Options dialog, select **Configuration** and **Schema**.
+
+Information on changes to the selected partitions will be available in reports and will be saved in
+snapshots.
+
+## AD Container
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General | |
+| Specify AD container | Specify a whole AD domain, OU or container. Click **Browse** to select from the list of containers in your network. You can also: - Select a particular computer type to be audited within the chosen AD container: **Domain controllers, Servers (excluding domain controllers)**, or **Workstations**. - Click **Exclude** to specify AD domains, OUs, and containers you do not want to audit. In the Exclude Containers dialog, click Add and specify an object. The list of containers does not include child domains of trusted domains. Use other options **(Computer, IP range** to specify the target computers. |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. If using a group Managed Service Account (gMSA), you can specify only the account name in the _domain\account$_ format. Password field can be empty. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information. Refer to the [Permissions for Active Directory Auditing](/docs/auditor/10.8/configuration/activedirectory/permissions.md) topic for more information on using Netwrix Privilege Secure as an account for data collection. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the[Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. |
+| Containers and Computers | |
+| Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. |
+| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Depending on the type of the object you want to exclude, select one of the following: - Add AD Container – Browse for a container to be excluded from being audited. You can select a whole AD domain, OU or container. - Add Computer – Provide the name of the computer you want to exclude as shown in the "_Where_" column of reports and Activity Summaries. For example, _backupsrv01.mydomain.local_. Wildcards (\*) are not supported. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.8/admin/monitoringplans/overview.md)topic for additional information. |
+
+## Domain
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Specify Active Directory domain | Specify the audited domain name in the FQDN format. For example, "_company.local_". |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.8/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information. |
+
+Refer to the
+[Permissions for Active Directory Auditing](/docs/auditor/10.8/configuration/activedirectory/permissions.md)
+topic for more information on using Netwrix Privilege Secure as an account for data collection.
+
+## Use Netwrix Privilege Secure as a Data Collecting Account
+
+Starting with version 10.7, you can use Netwrix Privilege Secure to manage the account for
+collecting data, after configuring the integration. See the
+[Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information about
+integration and supported data sources. In this case, the credentials will not be stored by Netwrix
+Auditor. Instead, they will be managed by Netwrix Privilege Secure and provided on demand, ensuring
+password rotation or using temporary accounts for data collection.
+
+Follow the steps to use Netwrix Privilege Secure as an account for data collection.
+
+**Step 1 –** Select the desired item.
+
+**Step 2 –** In the item configuration menu, select Netwrix Privilege Secure as an option for data
+collection.
+
+
+
+**Step 3 –** Select the type of the Access Policy you want to use in Netwrix Privilege Secure.
+Credential-based is the default option. Refer to the
+[Netwrix Privilege Secure](https://helpcenter.netwrix.com/category/privilegesecure_accessmanagement)
+documentation to learn more about Access Policies.
+
+In this case, you need to provide the username of the account managed by Netwrix Privilege Secure,
+and to which Netwrix Auditor has the access through a Credential-based access policy.
+
+**NOTE:** Netwrix recommends using different credentials for different monitoring plans and data
+sources.
+
+
+
+The second option is Resource-based. To use this option, you need to provide the Activity and
+Resource names, assigned to Netwrix Auditor in the corresponding Resource-based policy. Make sure
+that you specified the same names as in Netwrix Privilege Secure.
+
+The Resource name in this case is where the activity will be performed. For example, if you grant
+the data collecting account the access to a local Administrators group - the resource is the server
+where the permission will be granted.
+
+Netwrix Privilege Secure is ready to use as an account for data collection.
diff --git a/docs/auditor/10.8/admin/monitoringplans/activedirectory/scope.md b/docs/auditor/10.8/admin/monitoringplans/activedirectory/scope.md
new file mode 100644
index 0000000000..d559ce04ca
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/activedirectory/scope.md
@@ -0,0 +1,55 @@
+---
+title: "Active Directory Monitoring Scope"
+description: "Active Directory Monitoring Scope"
+sidebar_position: 10
+---
+
+# Active Directory Monitoring Scope
+
+You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Active
+Directory monitoring scope. You can apply restrictions to monitoring scope via the UI. See the
+[Objects](/docs/auditor/10.8/admin/monitoringplans/activedirectory/overview.md) topic for additional information.
+
+**_RECOMMENDED:_** Configure monitoring scope restrictions on the Active Directory monitoring plan
+page. See the [Active Directory](/docs/auditor/10.8/admin/monitoringplans/activedirectory/overview.md) topic for additional information.
+
+Follow the steps to exclude data from the Active Directory monitoring scope:
+
+**Step 1 –** Navigate to the _%Netwrix Auditor installation folder%\Active Directory Auditing_
+folder.
+
+**Step 2 –** Edit the \*.txt files, based on the following guidelines:
+
+- Each entry must be a separate line.
+- A wildcard (\*) is supported. You can use \* for cmdlets and their parameters.
+- Lines that start with the # sign are treated as comments and are ignored.
+
+| File | Description | Syntax |
+| -------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| addprops.txt | Contains a list of properties that should be included for newly created AD objects. When a new object is added, Auditor does not show any data in the Details column in the Activity Summary emails. If you want to see the information on certain attributes of a newly created object, specify these attributes in this file. | `Object type:property:` For example, to show a group description on this group’s creation, add the following line: `group:description:` |
+| allowedpathlist.txt | Contains a list of AD paths to be included in Activity Summaries, reports, and search results. | `Path` The path must be provided in the same format as it is displayed in the What column. For example, if you only want to monitor specific OU(s) in the AD domain, but not the entire domain. You can put a wildcard (\*) in the omitpathlist.txt file to exclude all paths, and then specify the OU(s) you want to monitor in the allowedpathlist.txt file. Adding the widlcard (\*) to omitpathlist.txt will not allow Netwrix Auditor to run AD state-in-time data collection. |
+| omitallowedpathlist.txt | Contains a list of AD paths to be excluded from Activity Summaries, reports, and search results. This file can be used if you want to exclude certain paths inside those specified in the allowedpathlist.txt file. | `Path` The path must be provided in the same format as it is displayed in the What column. For example, you can put a wildcard (\*) in the omitpathlist.txt file to exclude all paths, then specify the OU(s) you want to monitor in the allowedpathlist.txt file, and then specify the paths you want to exclude from within them in the omitallowedpathlist.txt file. Adding the widlcard (\*) to omitpathlist.txt will not allow Netwrix Auditor to run AD state-in-time data collection. |
+| omitexchangeserverlist.txt | Specify the Microsoft Exchange 2010 servers to be excluded from data collection. | `FQDN_server_name` **NOTE:** You can use the wildcard (\*) when specifying servers for exclusion. |
+| omitobjlist.txt | Contains a list of object types to be excluded from Activity Summaries, reports, and search results. | `Object type` For example, to omit changes to the printQueue object, add the following line: `printQueue`. |
+| omitpathlist.txt | Contains a list of AD paths to be excluded from Activity Summaries, reports, and search results. | `Path` The path must be provided in the same format as it is displayed in the What column. For example, to exclude changes to the Service Desk OU, add the following line: `*\Service Desk\*`. |
+| omitproplist.txt | Contains a list of object types and properties to be excluded from Activity Summaries, reports, and search results. | `object_type.property_name` If there is no separator (.) between an object type and a property, the whole entry is treated as an object type. For example to exclude the adminCount property from reports, add the following line: `*.adminCount`. |
+| omitreporterrors.txt | Contains a list of errors to be excluded from Netwrix Health Log. Thus, these errors will not appear in the Activity Summary emails. | `Error message text` For example, if you have advanced audit settings applied to your domain controllers policy, the following error will be returned in the Activity Summary emails: `Auditing of Directory Service Access is not enabled for this DC. Adjust the audit policy settings using the Active Directory Audit Configuration Wizard or see the product documentation for more information.` Add the text of this error message to this file to stop getting it in the Activity Summary emails. |
+| omitsnapshotpathlist.txt | Contains a list of AD paths to be excluded from AD snapshots. | `Path` The path must be provided in the same format as it is displayed in the What column. For example, to exclude data on the Disabled Accounts OU from the Snapshot report, add the following line:` *\Disabled Accounts*`. |
+| omitstorelist.txt | Contains a list of object types and properties to be excluded from AD snapshots. | `object_type.property_name` If there is no separator (.) between an object type and a property, the whole entry is treated as an object type. For example to exclude data on the AD adminDescription property, add the following line: `*.adminDescription`. |
+| omituserlist.txt | Contains a list of users you want to exclude from search results, reports and Activity Summaries. | `domain\username` For example, `*\administrator`. |
+| processaddedprops.txt | Contains a list of properties that should be included for newly created AD objects. When a new object is created, Auditor does not show any data in the Details column in reports. If you want to see the information on certain attributes of a newly created object, specify these attributes in this file. | `object type:property:` For example, if you want a user’s Description property to be displayed in the reports when a user is added, add the following line: `User:Description:` |
+| processdeletedprops.txt | Contains a list of properties that should be included for deleted AD objects. When an object is deleted, Auditor does not show any data in the Details column in reports. If you want to see the information on certain attributes of a deleted object, specify these attributes in this file. | `object type:property:` For example, if you want a user’s Description property to be displayed in the reports when a user is deleted, add the following line: `User:Description:` |
+| propnames.txt | Contains a list of human-readable names for object types and properties to be displayed in Activity Summaries, reports, and search results. | `classname.attrname= intelligiblename` For example, if you want the adminDescription property to be displayed in the reports as Admin Screen Description, add the following line: `*.adminDesciption=Admin Screen Description` |
+
+## Example
+
+To exclude the "_corp/Administrator_" user from being audited, use the following syntax in the
+**omitusers.txt** file:
+
+```
+# Specify users whose activity you want to exclude from Active Directory search results, reports and Activity Summaries.
+# Syntax: Domain\Username
+# Note: Wildcard * is supported and can replace any number of characters.
+# Example:
+# Corp\Administrator
+```
diff --git a/docs/auditor/10.8/admin/monitoringplans/activitysummaryemail.md b/docs/auditor/10.8/admin/monitoringplans/activitysummaryemail.md
new file mode 100644
index 0000000000..ece7a22b02
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/activitysummaryemail.md
@@ -0,0 +1,41 @@
+---
+title: "Activity Summary Email"
+description: "Activity Summary Email"
+sidebar_position: 220
+---
+
+# Activity Summary Email
+
+Activity Summary email is generated automatically by Netwrix Auditor and lists all changes /
+recorded user sessions that occurred since the last Activity Summary delivery. By default, for most
+data sources an Activity Summary is generated daily at 3:00 AM and delivered to the specified
+recipients. You can also launch data collection and Activity Summary generation manually.
+
+Notifications on user activity and event log collection (Event Log Collection Status) are a bit
+different and do not show changes.
+
+The following Activity Summary example applies to Active Directory. Other Activity Summaries
+generated and delivered by Netwrix Auditor will vary slightly depending on the data source.
+
+
+
+The example Activity Summary provides the following information on Active Directory changes:
+
+| Column | Description |
+| ----------- | ------------------------------------------------------------------------------------------------------------------- |
+| Action | Shows the type of action that was performed on the object. - Added - Removed - Modified - Activated (User Activity) |
+| Object Type | Shows the type of the modified AD object, for example, 'user'. |
+| What | Shows the path to the modified AD object. |
+| Item | Shows the item associated with the selected monitoring plan. |
+| Where | Shows the name of the domain controller where the change was made. |
+| Who | Shows the name of the account under which the change was made. |
+| When | Shows the exact time when the change occurred. |
+| Workstation | Shows the name / IP address of the computer where the user was logged on when the change was made. |
+| Details | Shows the before and after values of the modified AD object. |
+
+To initiate an on-demand Activity Summary delivery, navigate to the Monitoring Plans section, select
+a plan, click Edit, and then select Update. A summary will be delivered to the specified recipient,
+listing all activity that occurred since the last data collection.
+
+To disable Activity Summary Emails, you need to disable notifications in the settings. See the
+[Notifications](/docs/auditor/10.8/admin/settings/notifications.md) topic for additional information.
diff --git a/docs/auditor/10.8/admin/monitoringplans/adfs.md b/docs/auditor/10.8/admin/monitoringplans/adfs.md
new file mode 100644
index 0000000000..d74274ef58
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/adfs.md
@@ -0,0 +1,46 @@
+---
+title: "Active Directory Federation Services"
+description: "Active Directory Federation Services"
+sidebar_position: 50
+---
+
+# Active Directory Federation Services
+
+**NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in
+the following topics:
+
+- [Protocols and Ports Required](/docs/auditor/10.8/requirements/ports.md) – To ensure successful data collection
+ and activity monitoring configure necessary protocols and ports for inbound and outbound
+ connections
+- [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to
+ audit your IT systems
+
+- [AD FS](/docs/auditor/10.8/configuration/activedirectoryfederatedservices/overview.md) – Configure data source
+ as required to be monitored
+
+Complete the following fields:
+
+| Option | Description |
+| -------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. |
+| Schedule AD FS logons collection | Specify period for AD FS logons collection. |
+| Specify data collection method | You can enable network traffic compression. If enabled, a Compression Service will be automatically launched on the audited computer, collecting and pre-filtering data. This significantly improves data transfer and minimizes the impact on the target computer performance. |
+| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. For a full list of audit settings required to collect comprehensive audit data and instructions on how to configure them, refer to [AD FS](/docs/auditor/10.8/configuration/activedirectoryfederatedservices/overview.md). |
+
+Review your data source settings and click **Add** to go back to your plan. The newly created data
+source will appear in the **Data source** list. As a next step, click **Add item** to specify an
+object for monitoring. See the [Add Items for Monitoring](datasources.md#add-items-for-monitoring)
+topic for additional information.
+
+## Federation Server
+
+If you are going to audit an entire AD FS farm, consider adding all AD FS server one by one as items
+to your monitoring plan. Otherwise, your audit scope may contain warnings, errors or incomplete
+data.
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Specify AD FS federation server | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. |
diff --git a/docs/auditor/10.8/admin/monitoringplans/azurefiles.md b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md
new file mode 100644
index 0000000000..c3e9db2d89
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/azurefiles.md
@@ -0,0 +1,70 @@
+---
+title: "Azure Files Monitoring Plan"
+description: "Create and configure Azure Files monitoring plans in Netwrix Auditor v10.8"
+sidebar_position: 85
+---
+
+# Azure Files Monitoring Plan
+
+Create monitoring plans for Azure Files to track file and folder changes across your Azure storage accounts.
+
+## Prerequisites
+
+- **[Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md)** completed
+- **Azure Application** registered with required permissions
+- **Diagnostic settings** enabled for storage accounts
+
+## Create Monitoring Plan
+
+### Step 1: Create New Monitoring Plan
+
+1. Navigate to **Home > Monitoring Plans**
+2. Click **Create New Monitoring Plan**
+3. Provide monitoring plan name
+4. Create audit database
+5. Configure email notification method
+
+### Step 2: Add Azure Files Data Source
+
+1. Click **Add Data Source**
+2. Select **Azure Files**
+3. Configure connection settings:
+ - **Tenant ID** (use ID, not tenant name)
+ - **Application ID**
+ - **Application Secret**
+ - **Subscription ID**
+
+### Step 3: Configure Storage Accounts
+
+Configure storage account settings (requires separate accounts):
+- **File Share Storage Account** - Contains the file shares to monitor
+- **Audit Log Storage Account** - Stores diagnostic logs (must be separate account)
+- **Resource Group** - Resource group containing the storage accounts
+
+### Step 4: Configure Monitoring Options
+
+Select monitoring options:
+- **Track changes** (successful/failed operations)
+- **Monitor read access** (optional - increases audit volume)
+- **User monitoring restrictions** (specify users to exclude from monitoring)
+- **Monitored object types** - Select from:
+ - Files
+ - Folders
+ - Shares
+- **Monitored actions** - Configure which file operations to track
+
+### Step 5: Test Connection
+
+Click **Test Connection** to verify:
+- Azure Active Directory authentication
+- Storage account access
+- Audit log collection
+
+## Next Steps
+
+After creating the monitoring plan:
+1. **Verify data collection** is working
+2. **Configure reports** as needed
+3. **Set up alerts** for important events
+
+For configuration requirements, see [Azure Files Configuration](/docs/auditor/10.8/configuration/azurefiles/overview.md).
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/monitoringplans/create.md b/docs/auditor/10.8/admin/monitoringplans/create.md
new file mode 100644
index 0000000000..7175441f3b
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/create.md
@@ -0,0 +1,183 @@
+---
+title: "Create a New Monitoring Plan"
+description: "Create a New Monitoring Plan"
+sidebar_position: 10
+---
+
+# Create a New Monitoring Plan
+
+To create monitoring plans, user account must be assigned the _Global administrator_ in Auditor.
+Users with the _Configurator_ role can create plans only within a delegated folder. See the
+[Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information.
+
+To start creating a plan, do any of the following:
+
+- On the main Auditor page, in the Quick Start section, click the tile with a data source of your
+ choice, e.g., Active Directory. If you need a data source that is not listed on the main page,
+ click All data sources.
+- On the main Auditor page, in the Configuration section, click the Monitoring Plans tile. On the
+ Monitoring Plans page, select Add Plan.
+
+Then follow the steps in the Monitoring Plan Wizard.
+
+**Step 1 –** Choose a data source for monitoring.
+
+**Step 2 –** Specify an account for collecting data.
+
+**Step 3 –** Specify default SQL Server instance and configure the Audit Database to store your
+data.
+
+**Step 4 –** Configure notification settings.
+
+**Step 5 –** Specify the recipients who will receive daily activity summaries.
+
+**Step 6 –** Specify a plan name.
+
+## Settings for Data Collection
+
+
+
+At this step of the wizard, specify the account that Auditor will use to access the data source, and
+general settings for data collection.
+
+
+
+| Option | Description |
+| --------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Specify the account for collecting data | If applicable, you can create a data collecting account in the following ways: - Not specified – Select this option if you want to choose the Netwrix Privilege Secure as the data collecting account for the Monitoring Plan. See the [Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information. - User/password – Provide a username and password for the account that Auditor will use to collect data. By default, the user name is prepopulated with your account name. - gMSA – Use the group Managed Service Account (gMSA) as data collecting account. For more details about gMSA usage, see the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.8/requirements/gmsa.md) topic. **NOTE:** If you want to audit network devices or Microsoft Entra ID (formerly Azure AD)/Office 365 infrastructure, you need to use _not specified_ account. Make sure the account has sufficient permissions to collect data. For a full list of the rights and permissions, and instructions on how to configure them, refer to the[Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md). Netwrix recommends creating a special service account with extended permissions. When you configure a monitoring plan for the first time, the account you specify for data collection will be set as default. |
+| Enable network traffic compression | If selected, this option instructs Auditor to deploy a special utility that will run on the audited computers and do the following: - Collect and pre-filter audit data - Compress data and forward it to Auditor Server. This approach helps to optimize load balance and reduce network traffic. So, using this option can be recommended especially for distributed networks with remote locations that have limited bandwidth. See the [Network Traffic Compression](/docs/auditor/10.8/admin/healthstatus/networktrafficcompression.md) topic for additional information. |
+| Adjust audit settings automatically | Auditor can configure audit settings in your environment automatically. Select Adjust audit settings automatically. In this case, Auditor will continually check and enforce the relevant audit policies. For some data sources (currently, Active Directory and Logon Activity) you will be offered to launch a special utility that will detect current audit settings, check them against requirements and then adjust them automatically. See the [Audit Configuration Assistant](/docs/auditor/10.8/tools/auditconfigurationassistant.md) topic for additional information. You may also want to apply audit settings via GPO (for example, for Windows Servers). Auditor has certain limitations when configuring audit settings for NetApp and Dell Data Storage. See the [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md) topic for additional information. If any conflicts are detected with your current settings, automatic audit configuration will not be performed. Select this option if you want to audit file shares on NetApp Data ONTAP 7 and 8 in 7-mode. For NetApp Clustered Data ONTAP 8 and ONTAP 9, only audit settings for file shares can be configured automatically, other settings must be applied manually. If you plan to monitor EMC Isilon, clear the checkbox. Currently, Auditor cannot configure audit on Dell Isilon appliances automatically. If you want to audit Dell VNX/VNXe, select Adjust audit settings automatically, but only audit settings for file shares will configured, the rest of settings must be configured manually. For a full list of audit settings and instructions on how to configure them manually, see the [Supported Data Sources](/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md) for additional information. |
+| Launch Audit Configuration Assistant | Click to launch a specially intended utility that will assess your environment readiness for monitoring and adjust audit settings, if necessary. The tool will be launched in a new window. See the [Audit Configuration Assistant](/docs/auditor/10.8/tools/auditconfigurationassistant.md) topic for additional information. |
+| Collect data for state-in-time reports | State-in-time reports are based on the daily configuration snapshots of your audited systems; they help you to analyze particular aspects of the environment. State-in-time configuration snapshots are also used for IT risks assessment metrics and reports. This data collection option is available if you are creating a monitoring plan for any of the following data sources: - Active Directory - File Servers - Windows Server - Group Policy - SharePoint - SharePoint Online - Exchange Online - SQL Server - VMware See the [State–In–Time Reports](/docs/auditor/10.8/admin/reports/types/stateintime/overview.md) and [IT Risk Assessment Overview ](/docs/auditor/10.8/admin/riskassessment/overview.md) topics for additional information. |
+
+## Default SQL Server Instance
+
+To provide searching, alerting and reporting capabilities, Auditor needs an SQL Server where audit
+data will be stored in the databases. To store data from the data sources included in the monitoring
+plan, the wizard creates an Audit Database for each plan. At this step, you should specify the
+default SQL Server instance that will host Auditor databases. See the
+[Requirements for SQL Server to Store Audit Data](/docs/auditor/10.8/requirements/sqlserver.md) topic for
+additional information.
+
+Alternatively, you can instruct Auditor not to store data to the databases but only to the
+repository (Long-Term Archive) – in this scenario, you will only be able to receive activity
+summaries. Reporting and alerting capabilities will not be provided.
+
+Auditor skips this step if you have already configured Audit Database settings for other monitoring
+plans.
+
+Select one of the following options:
+
+- Disable security intelligence and make data available only in activity summaries — select this
+ option if you do not want audit data to be written to the Audit Database. In this case, data will
+ be available only in Activity Summary emails. Alerts, reports and search capabilities will not be
+ supported.
+
+ If you later clear this option to start saving data to the database, consider that already
+ collected audit data will not be imported in that database.
+
+- Install a new instance of Microsoft SQL Server Express automatically — this option is available at
+ the first run of the wizard. It allows you to deploy SQL Server 2016 SP2 Express with Advanced
+ Services on the local machine. This SQL Server will be used as default host for Auditor databases.
+
+ It is strongly recommended that you plan for your databases first, as described in
+ [Requirements for SQL Server to Store Audit Data](/docs/auditor/10.8/requirements/sqlserver.md) section.
+ Remember that database size in SQL Server Express edition may be insufficient for your audited
+ infrastructure.
+
+- Use an existing SQL Server instance — select this option to use an existing SQL Server instance.
+
+ Local SQL Server instance is detected automatically, and input fields are pre-populated with its
+ settings.
+
+ Complete the following fields:
+
+ | Option | Description |
+ | ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+ | SQL Server instance | Specify the name of the SQL Server instance to store audit data. If you have more than one Auditor Server running in your network, make sure to configure them to use different SQL Server instances. The same SQL Server instance cannot be used to store audit data collected by several Auditor Servers. |
+ | Authentication | Select the authentication type you want to use to connect to the SQL Server instance: - Windows authentication - SQL Server authentication |
+ | User name | Specify the account to be used to connect to the SQL Server instance. This account must be granted the **database owner (db_owner)** role and the dbcreator server role. |
+ | Password | Enter a password. |
+
+ **NOTE:** If you want to use Group Managed Service Account (gMSA) to access the SQL Server
+ instance hosting the database, consider that in this case Netwrix Auditor will not be able to
+ generate SSRS-based reports (due to the following Microsoft article:
+ [Configure the Unattended Execution Account (Report Server Configuration Manager)](https://docs.microsoft.com/en-us/sql/reporting-services/install-windows/configure-the-unattended-execution-account-ssrs-configuration-manager?view=sql-server-ver15).
+
+## Database Settings
+
+At this step, you need to specify a database where Netwrix Auditor will store data collected from
+the data sources included in this monitoring plan.
+
+It is strongly recommended to target each monitoring plan at a separate database.
+
+You can use default settings for your SQL Server instance or modify them (e.g., use a different
+authentication method or user). You can also change these settings later. See the
+[Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topic for additional information.
+
+
+
+Configure the following:
+
+| Setting | Description |
+| ------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Disable security intelligence ... | Only select this option if you do not want your data to be stored in the database. In this case, you will only be able to receive activity summaries. Reporting and alerting capabilities will not be provided. To store data to the database, leave this check box cleared. |
+| Database | Default database name is _Netwrix_Auditor_``_. It is recommended that you enter a meaningful name for the database here. It may include the data source type (e.g. \_Exchange_Audit_Data_ or _OracleSrv02_Audit_Data_), or so. If you decided to use the existing SQL Server instance instead of dedicated, you may want to use _Netwrix_Auditor_ prefix to distinguish Netwrix Auditor databases from others. |
+| Use default SQL Server settings | Select this option if you want Auditor to connect to the SQL Server instance using the default settings you specified at the Default SQL Server Instance step. |
+| Specify custom connection parameters | Select this option to use custom credentials when connecting to SQL Server. Specify authentication method and the account that Auditor will use. Make sure this account has sufficient rights to connect to SQL Server and work with the databases. |
+
+Auditor will connect to the default SQL Server instance and create a database with the specified
+name on it.
+
+Global settings that apply to all databases with audit data (including retention period and SSRS
+server used for reporting) are available on the Audit Database page of Auditor settings. See the
+[Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topic for additional information.
+
+## SMTP Server Settings
+
+When you create the first monitoring plan, you are prompted to specify the email settings that will
+be used for activity and health summaries, reports and alerts delivery. For the monitoring plans
+that follow, Netwrix Auditor will automatically detect SMTP settings; however, for your first plan
+you should provide them manually. See the [Notifications](/docs/auditor/10.8/admin/settings/notifications.md) topic for
+additional information.
+
+You can skip this step if you do not want to receive email notifications, or configure SMTP settings
+later, as described in the related section.
+
+## Email Notification Recipients
+
+Specify who will receive daily emails: [Activity Summary Email](/docs/auditor/10.8/admin/monitoringplans/activitysummaryemail.md) on changes
+in the monitored infrastructure, and [Health Summary Email](/docs/auditor/10.8/admin/healthstatus/summaryemail.md) on
+Auditor operations and health.
+
+Click Add Recipient and provide email address.
+
+**_RECOMMENDED:_** click **Send Test Email**. The system will send a test message to the specified
+email address and inform you if any problems are detected.
+
+## Monitoring Plan Summary
+
+At this step of the wizard, to provide a meaningful name and optional description for your
+monitoring plan.
+
+To start collecting data, you should specify the objects (items) that belong to the target data
+source and should be processed according to the settings of this monitoring plan. For example, for
+Exchange data source the item will be your Exchange server, for Windows Server data source -
+computer, IP range or AD container, and so on. To add items right after finishing the monitoring
+plan wizard, select the Add item now checkbox. See the
+[Add Items for Monitoring](datasources.md#add-items-for-monitoring) topic for additional
+information.
+
+A monitoring plan cannot collect data until at least one item is specified.
+
+Some data sources require additional system components and updates to be installed on your computer.
+In this case, Auditor will inform you and prompt you to check data source prerequisites instead of
+adding an item.
+
+Once you complete the wizard, you can:
+
+- Add items to your plan
+- Add more data sources
+- Customize data source's scope and settings (e.g., enable read access auditing)
+- Fine-tune or modify plan settings
+- Delegate control of the plan configuration or collected data to other users.
diff --git a/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md b/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md
new file mode 100644
index 0000000000..dbcf2b6152
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md
@@ -0,0 +1,83 @@
+---
+title: "Data Collecting Account"
+description: "Data Collecting Account"
+sidebar_position: 30
+---
+
+# Data Collecting Account
+
+This is a service account that Auditor uses to collect audit data from the monitored items, such as
+domains, OUs and servers. Netwrix recommends the creation of a dedicated service account for that
+purpose. Depending on the data source your monitoring plan will process, the account must meet the
+corresponding requirements in the table below.
+
+Select the account that will be used to collect data for this item. If you want to use a specific
+account (other than the one you specified during monitoring plan creation), select account type you
+want to use and enter credentials. The following choices are available:
+
+- User/password. The account must be granted the same permissions and access rights as the default
+ account used for data collection. See the Data Collecting Account topic for additional
+ information.
+- Group Managed Service Account (gMSA). You should specify only the account name in the
+ domain\account$ format. See the
+ [Use Group Managed Service Account (gMSA)](/docs/auditor/10.8/requirements/gmsa.md) topic for additional
+ information.
+- Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between
+ Netwrix Auditor and Netwrix Privilege Secure. See the
+ [Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information.
+
+- Application and secret for Microsoft 365 with modern authentication.
+
+Each data collecting accounts should meet the requirements from the table below, depending on the
+data source.
+
+| Data source | Required rights and permissions: |
+| ------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Active Directory | [Permissions for Active Directory Auditing](/docs/auditor/10.8/configuration/activedirectory/permissions.md) |
+| Active Directory Federation Services | [Permissions for AD FS Auditing](/docs/auditor/10.8/configuration/activedirectoryfederatedservices/permissions.md) |
+| Microsoft Entra ID (formerly Azure AD), Exchange Online, SharePoint Online, MS Teams | [Permissions for Microsoft Entra ID Auditing](/docs/auditor/10.8/configuration/microsoft365/microsoftentraid/permissions/permissions.md) [Permissions for Exchange Online Auditing](/docs/auditor/10.8/configuration/microsoft365/exchangeonline/permissions.md) [Permissions for SharePoint Online Auditing ](/docs/auditor/10.8/configuration/microsoft365/sharepointonline/permissions/permissions.md) [Permissions for Teams Auditing](/docs/auditor/10.8/configuration/microsoft365/teams/permissions/permissions.md) |
+| Exchange | [Permissions for Exchange Auditing](/docs/auditor/10.8/configuration/exchange/permissions.md) |
+| Windows File Servers | [Permissions for Windows File Server Auditing](/docs/auditor/10.8/configuration/fileservers/windows/permissions.md) |
+| Dell Isilon | [Permissions for Dell Isilon/PowerScale Auditing](/docs/auditor/10.8/configuration/fileservers/dellisilon/permissions.md) |
+| Dell VNX/VNXe/Unity | [Permissions for Dell Data Storage Auditing](/docs/auditor/10.8/configuration/fileservers/delldatastorage/permissions.md) |
+| NetApp | [Permissions for NetApp Auditing](/docs/auditor/10.8/configuration/fileservers/netappcmode/permissions.md) |
+| Nutanix Files | [Permissions for Nutanix Files Auditing](/docs/auditor/10.8/configuration/fileservers/nutanix/permissions.md) |
+| Qumulo | [Permissions for Qumulo Auditing](/docs/auditor/10.8/configuration/fileservers/qumulo/permissions.md) |
+| Synology | [Permissions for Synology Auditing](/docs/auditor/10.8/configuration/fileservers/synology/permissions.md) |
+| Network Devices | [Permissions for Network Devices Auditing](/docs/auditor/10.8/configuration/networkdevices/permissions.md) |
+| Oracle Database | [Permissions for Oracle Database Auditing](/docs/auditor/10.8/configuration/oracle/permissions.md) |
+| SharePoint | [Permissions for SharePoint Auditing](/docs/auditor/10.8/configuration/sharepoint/permissions.md) |
+| SQL Server | [Permissions for SQL Server Auditing ](/docs/auditor/10.8/configuration/sqlserver/permissions.md) |
+| VMware | [Permissions for VMware Server Auditing ](/docs/auditor/10.8/configuration/vmware/permissions.md) |
+| Windows Server (including DNS and DHCP) | [Permissions for Windows Server Auditing ](/docs/auditor/10.8/configuration/windowsserver/permissions.md) |
+| Event Log (including IIS)—collected with Event Log Manager | [Permissions for Windows Server Auditing ](/docs/auditor/10.8/configuration/windowsserver/permissions.md) |
+| Group Policy | [Permissions for Group Policy Auditing ](/docs/auditor/10.8/configuration/grouppolicy/permissions.md) |
+| Logon Activity | [Permissions for Logon Activity Auditing ](/docs/auditor/10.8/configuration/logonactivity/permissions.md) |
+| Inactive Users in Active Directory—collected with Inactive User Tracker | In the target domain - A member of the Domain Admins group |
+| Password Expiration in Active Directory—collected with Password Expiration Notifier | In the target domain - A member of the Domain Users group |
+| User Activity | On the target server - A member of the local Administrators group |
+| Sensitive Data Discovery | [Sensitive Data Discovery ](/docs/auditor/10.8/admin/settings/sensitivedatadiscovery.md) |
+
+## Update Credentials for Account
+
+Once a Data Collecting Account has been configured, you can always update the password for this
+account in Netwrix Auditor.
+
+Follow the steps to update credentials for the accounts used by Auditor:
+
+**Step 1 –** On the Auditor home page, navigate to **Settings**.
+
+**Step 2 –** Locate the General tab.
+
+**Step 3 –** Click the **Manage** button under **Accounts and Passwords**.
+
+**Step 4 –** Select an account you want to update the password for.
+
+**Step 5 –** Review the account configuration scope and click **Update password** next to this
+account.
+
+
+
+**Step 6 –** Save your edits.
+
+See the [General](/docs/auditor/10.8/admin/settings/general.md) topic for additional information.
diff --git a/docs/auditor/10.8/admin/monitoringplans/datasources.md b/docs/auditor/10.8/admin/monitoringplans/datasources.md
new file mode 100644
index 0000000000..6c00323468
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/datasources.md
@@ -0,0 +1,149 @@
+---
+title: "Manage Data Sources"
+description: "Manage Data Sources"
+sidebar_position: 20
+---
+
+# Manage Data Sources
+
+You can fine-tune data collection for each data source. Settings that you configure for the data
+source will be applied to all items belonging to that data source. Using data source settings, you
+can, for example:
+
+- Enable state-in-time data collection (currently supported for several data sources)
+- Depending on the data source, customize the monitoring scope (e.g., enable read access auditing,
+ monitoring of failed attempts)
+
+To add, modify and remove data sources, enable or disable monitoring, you must be assigned the
+Global administrator role in the product or the Configurator role on the plan. See the
+[Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional information.
+
+## Modify Data Source Settings
+
+Follow the steps to modify data source settings.
+
+**Step 1 –** Select the monitoring plan you need and click **Edit**.
+
+**Step 2 –** Within the monitoring plan window, highlight the data source (the first one is the row
+right under the blue table header) and click Edit data source on the right:
+
+
+
+**Step 3 –** Modify data source settings as you need.
+
+**Step 4 –** When finished, click **Save**.
+
+Review the following for additional information:
+
+- [Active Directory](/docs/auditor/10.8/admin/monitoringplans/activedirectory/overview.md)
+- [Active Directory Federation Services ](/docs/auditor/10.8/admin/monitoringplans/adfs.md)
+- [Microsoft Entra ID](/docs/auditor/10.8/admin/monitoringplans/microsoftentraid/overview.md)
+- [Exchange](/docs/auditor/10.8/admin/monitoringplans/exchange/overview.md)
+- [Exchange Online](/docs/auditor/10.8/admin/monitoringplans/exchangeonline/overview.md)
+- [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md)
+- [Group Policy](/docs/auditor/10.8/admin/monitoringplans/grouppolicy/overview.md)
+- [Logon Activity](/docs/auditor/10.8/admin/monitoringplans/logonactivity/overview.md)
+- [MS Teams](/docs/auditor/10.8/admin/monitoringplans/msteams.md)
+- [Network Devices](/docs/auditor/10.8/admin/monitoringplans/networkdevices.md)
+- [Oracle Database](/docs/auditor/10.8/admin/monitoringplans/oracle/overview.md)
+- [SharePoint](/docs/auditor/10.8/admin/monitoringplans/sharepoint/overview.md)
+- [SharePoint Online](/docs/auditor/10.8/admin/monitoringplans/sharepointonline/overview.md)
+- [SQL Server](/docs/auditor/10.8/admin/monitoringplans/sqlserver/overview.md)
+- [User Activity](/docs/auditor/10.8/admin/monitoringplans/overview_1.md)
+- [VMware](/docs/auditor/10.8/admin/monitoringplans/vmware/overview.md)
+- [Windows File Share](fileservers/scope.md#windows-file-share)
+
+Also, you can add a data source to the monitoring plan, or remove a data source that is no longer
+needed.
+
+## Add a Data Source to an Existing Plan
+
+Follow the steps to add a data source to existing plan.
+
+**Step 1 –** Select the monitoring plan you need and click Edit.
+
+**Step 2 –** In the right pane, select Add data source.
+
+**Step 3 –** Specify a data source.
+
+**Step 4 –** Configure settings specific to your data source.
+
+**Step 5 –** When finished, click the **Add** button to save the settings.
+
+## Add Items for Monitoring
+
+Once you completed monitoring plan wizard and specified data sources, add items for monitoring. You
+can add as many items for a data source as you want. In this case, all items will share settings you
+specified for this data source.
+
+Each data source has a dedicated item type. Netwrix Auditor automatically suggests item types
+associated with your data source.
+
+| Data Source | Item |
+| ----------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Active Directory Group Policy Exchange Logon Activity | [Domain](activedirectory/overview.md#domain) |
+| Active Directory Federation Services | [Federation Server](adfs.md#federation-server) |
+| Microsoft Entra ID Exchange Online SharePoint Online Microsoft Teams | [Microsoft Entra ID](/docs/auditor/10.8/admin/monitoringplans/microsoftentraid/overview.md) |
+| File Servers (including Windows file server, Dell, NetApp, Nutanix File server, Synology, and Qumulo) | [AD Container](activedirectory/overview.md#ad-container) [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) [Qumulo](fileservers/overview.md#qumulo) [Synology](fileservers/overview.md#synology) By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). If you want to monitor user-defined hidden shares, select the related option in the monitored item settings. Remember that administrative hidden shares like default system root or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will not be monitored. See the topics on the monitored items for details. |
+| Network Devices | [Syslog Device](networkdevices.md#syslog-device) [Cisco Meraki Dashboard](networkdevices.md#cisco-meraki-dashboard) |
+| Oracle Database | [Oracle Database Instance](oracle/overview.md#oracle-database-instance) |
+| SharePoint | [SharePoint Farm](sharepoint/overview.md#sharepoint-farm) |
+| SQL Server | [SQL Server Instance](sqlserver/items.md#sql-server-instance) [SQL Server Availability Group](sqlserver/items.md#sql-server-availability-group) |
+| VMware | [VMware ESX/ESXi/vCenter](vmware/overview.md#vmware-esxesxivcenter) |
+| Windows Server User Activity | [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md) [AD Container](activedirectory/overview.md#ad-container) [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md) |
+| Netwrix API | [Integration API](/docs/auditor/10.8/api/overview.md) |
+
+To add, modify and remove items, you must be assigned the Global administrator role in the product
+or the **Configurator** role on the plan. See the
+[Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md)topic for additional information.
+
+Follow the steps to add a new item to a data source:
+
+**Step 6 –** Navigate to your plan settings.
+
+**Step 7 –** Click Add item under the data source.
+
+**Step 8 –** Provide the object name and configure item settings.
+
+You can fine-tune data collection for each item individually. To do it, select an item within your
+monitoring plan and click Edit item. For each item, you can:
+
+- Specify a custom account for data collection
+- Customize settings specific your item (e.g., specify SharePoint site collections)
+
+## Configure Monitoring Scope
+
+In some environments, it may not be necessary to monitor the entire IT infrastructure. Netwrix
+monitoring scope can be configured on the Data Source and/or Item levels. the section below contains
+examples on how to use omit functionality in Auditor.
+
+In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more
+granular audit data. Note that the new monitoring scope restrictions apply together with previous
+exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.8/admin/monitoringplans/overview.md)topic for
+additional information.
+
+| Use case | Related documentation |
+| ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **Active Directory** | |
+| I want to omit all activity by a specific service account or service accounts with specific naming pattern. | [Active Directory](/docs/auditor/10.8/admin/monitoringplans/activedirectory/overview.md) |
+| If Netwrix user is responsible just for a limited scope within corporate AD, s/he needs to omit everything else. | [Active Directory](/docs/auditor/10.8/admin/monitoringplans/activedirectory/overview.md) - Always both activity and state in time data are omitted. - In group/Not in group filters don't not process groups from omitted OUs. |
+| **Logon Activity** | |
+| I want to omit domain logons by a specific service account or service accounts with specific naming pattern. | [Logon Activity](/docs/auditor/10.8/admin/monitoringplans/logonactivity/overview.md) |
+| **File Servers** (including Windows file server, Dell, NetApp, Nutanix File server) | |
+| I have a server named _StationWin16_ where I can't install .Net 4.5 in OU where I keep all member servers. I want to suppress errors from this server by excluding it from the Netwrix auditing scope. | [AD Container](activedirectory/overview.md#ad-container) |
+| A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Then, s/he does not want the product to monitor this folder at all. | [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) |
+| A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Then, s/he does not want the product to monitor this folder at all. | [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) |
+| A Security Officer wants to monitor a file share, but it contains a folder with a huge amount of objects, so s/he does not want Netwrix Auditor to collect State-in-Time data for this folder. | [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md) [Dell Isilon](fileservers/overview.md#dell-isilon) [Dell VNX VNXe](fileservers/overview.md#dell-vnx-vnxe) [NetApp](fileservers/overview.md#netapp) [Windows File Share](fileservers/scope.md#windows-file-share) [Nutanix SMB Shares](fileservers/overview.md#nutanix-smb-shares) |
+| I want to exclude specific computers within an IP range from the Netwrix auditing scope. | [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md) |
+| **SQL Server** | |
+| I want to know if _corp\administrator_ user is messing with SQL data. | [SQL Server Instance](sqlserver/items.md#sql-server-instance) |
+| As a Auditor administrator I want to exclude the _domain\nwxserviceaccount_ service account activity from SQL server audit so that I get reports without changes made by automatic systems. | [SQL Server Instance](sqlserver/items.md#sql-server-instance) |
+| As a Auditor administrator I want to exclude all changes performed by _MyCustomTool_. | [SQL Server Instance](sqlserver/items.md#sql-server-instance) |
+| **SharePoint** | |
+| I want to exclude the _domain\nwxserviceaccount_ account from data collection as it produces standard activity that doesn't require monitoring. | [SharePoint Farm](sharepoint/overview.md#sharepoint-farm) |
+| As a Auditor Administrator I want to exclude shared _PublicList_ from read audit. | [SharePoint Farm](sharepoint/overview.md#sharepoint-farm) |
+| Windows Server | |
+| I have a server named StationWin16 where I can't install .Net 4.5 in OU where I keep all member servers. I want to suppress errors from this server by excluding it from the Netwrix auditing scope. | [AD Container](activedirectory/overview.md#ad-container) |
+| I want to exclude specific computers within an IP range from the Netwrix auditing scope. | [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md) |
+| VMware | |
+| I have a virtual machine named "testvm" I use for testing purposes, so I want to exclude it from being monitored. | [VMware ESX/ESXi/vCenter](vmware/overview.md#vmware-esxesxivcenter) |
diff --git a/docs/auditor/10.8/admin/monitoringplans/delegation.md b/docs/auditor/10.8/admin/monitoringplans/delegation.md
new file mode 100644
index 0000000000..0ded923aa9
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/delegation.md
@@ -0,0 +1,183 @@
+---
+title: "Role-Based Access and Delegation"
+description: "Role-Based Access and Delegation"
+sidebar_position: 230
+---
+
+# Role-Based Access and Delegation
+
+Security and awareness of _who_ has access to _what_ is crucial for every organization. Besides
+notifying you on _who_ changed _what_, _when_ and _where_, and _who_ has access to _what_ in your IT
+infrastructure, Netwrix pays attention to safety of its own configuration and collected data.
+
+To keep the monitoring process secure, Netwrix suggests configuring role-based access. Delegating
+control ensures that only appropriate users can modify the product configuration or view audit data,
+based on your company policies and the user's job responsibilities.
+
+
+
+Roles are described briefly in the table below and explained in detail in the next topic.
+
+| Role | Access level | Recommended use |
+| -------------------- | ----------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Global administrator | Full control. Access to global settings, monitoring plan configuration, collected data, access delegation, etc. | The role should be assigned to a very limited number of employees—typically, only the owner of the Auditor Server host in your environment. By default, the user who installed Auditor is assigned the Global administrator role. All members of the local Administrators group are Global administrators too. |
+| Configurator | Access to monitoring plan configuration within the delegated scope: a monitoring plan or a folder with monitoring plans | The role is appropriate for system administrators, infrastructure engineers, and members of operations team who manage network and services in your organization but should not have access to sensitive data. |
+| Global reviewer | Access to all data collected by Auditor and intelligence and visibility features. | The role is appropriate for key employees who need to review audit data collected across various data sources—typically, IT managers, chief information security officer, and so on. |
+| Reviewer | Access to data collected by Auditor and intelligence and visibility features within the delegated scope. | The role is appropriate for members of security team and helpdesk personnel who are responsible for mitigating risks in a certain sector of your environment (e.g., domain, file share). This role is granted to specialists who use the Integration API to retrieve data from the Audit Database. |
+| Contributor | Write access to Auditor Server and Audit Database. | This service role is granted to specialists who use the Integration API to write data to the Audit Database. This role is also granted to service accounts or any accounts used for interaction with Auditor Server (e.g., add-on scripts). |
+
+## Compare Roles
+
+| Feature | Global administrator | Global reviewer | Reviewer | Configurator | Contributor |
+| --------------------------------------------------------------------------------------------- | -------------------- | ----------------------------------------------- | -------------------------------------------------------------------------- | --------------------------------------------------------------------------------------- | ------------------- |
+| Launch Auditor client | + | + | + | + | + |
+| Delegate control, grant and revoke permissions | + | – | – | – | – |
+| View global settings | + | Some | Some | Some | Some |
+| Modify global settings (including default Audit Database, licenses, retention settings, etc.) | + | – | – | – | – |
+| Monitoring plan configuration | | | | | |
+| List folders | + | + | + | + | + |
+| Add, remove, rename folders | + | – | – | Some Only under assigned folders provided that directly assigned roles do not conflict. | – |
+| List monitoring plans, review status | + | + | + | + | + |
+| Add, remove, rename monitoring plans | + | – | – | Some Only under assigned folders provided that directly assigned roles do not conflict. | – |
+| Modify monitoring plan settings | + | Some Add and remove Activity Summary recipients | Some Add and remove Activity Summary recipients within the delegated scope | Some Restricted to the delegated scope (folder or monitoring plan) | – |
+| List data sources and items in monitoring plan | + | + | + | + | + |
+| Add, modify, remove data sources, enable or disable auditing | + | – | – | Some Restricted to the delegated scope (folder or monitoring plan) | – |
+| Add, modify, remove items in monitoring plan | + | – | – | Some Restricted to the delegated scope (folder or monitoring plan) | – |
+| Manage state-in-time data, upload snapshots to the Audit Database | + | + | – | – | – |
+| Intelligence | | | | | |
+| List reports | + | + | + | + | + |
+| Generate reports | + | + | Some Restricted to the delegated scope (folder or monitoring plan) | – | – |
+| List report subscriptions | + | + | + | + | + |
+| Create, modify, remove subscriptions | + | + | – | – | – |
+| See search results | + | + | Some Restricted to the delegated scope (folder or monitoring plan) | – | – |
+| List, create, modify, delete custom reports | + | + | + | + | - (only can _list_) |
+| List alerts | + | + | + | + | + |
+| Create, modify, delete alerts | + | + | – | – | – |
+| Import investigation data from the Long-Term Archive | + | – | – | – | – |
+| View investigation data | + | + | – | – | – |
+| View Behavior Anomalies list | + | + | – | – | – |
+| Review user profile | + | + | – | – | – |
+| Update anomaly status | + | + | – | – | – |
+| **Risk Assessment Overview dashboard and drill-down reports** | | | | | |
+| View Risk Assessment Overview results (dashboard, drill-down reports) | + | + | Some Restricted to delegated scope (folder or monitoring plan) | - | - |
+| Modify risk level thresholds | + | + | - | - | - |
+| Customize risk indicators | + | + | - | - | - |
+| Auditor Integration API | | | | | |
+| Write Activity Records | + | – | – | – | + |
+| Retrieve Activity Records | + | + | + Restricted to the delegated scope (folder or monitoring plan) | – | – |
+
+## Assign Roles
+
+Netwrix Auditor allows assigning roles on the product as a whole, or within a specific _scope_. A
+scope can be limited to a single monitoring plan or to the contents of a folder. This helps to
+ensure that only authorized personnel has access to the relevant data. For example, database
+administrators (DBAs) should not access Active Directory management data, and domain administrators
+do not need permissions to view database schema changes or update data collection settings, and so
+on.
+
+### Understanding Scopes
+
+Scopes for different Auditor roles are as follows:
+
+| Scope | Roles |
+| ----------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Global (All monitoring plans) | Global administrator Global reviewer Contributor **NOTE:** To assign Global role, you need to click **Delegate** button from All Monitoring Plans list. |
+| Folder level | Configurator Reviewer |
+| Plan level | Configurator Reviewer |
+
+Follow the steps to delegate control to some scope, review, or revoke assigned roles.
+
+**Step 1 –** On the main Auditor page, navigate to the **Monitoring Plans** section.
+
+**Step 2 –** Browse your monitoring plans tree and select the scope you want to delegate to a user
+(e.g., All monitoring plans root folder, a folder, or a monitoring plan).
+
+**Step 3 –** Click **Delegate**.
+
+Review roles that are already defined for this scope.
+
+Do one of the following:
+
+| To... | Do... |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------- |
+| Assign a role | 1. Select Add User. 2. In the dialog that opens, specify a user (or a group) and a role. |
+| Revoke a role assignment | - Click  next to the user. |
+
+**Step 4 –** Click **Save** or **Save&Close**.
+
+### Browser Role on Report Server
+
+Along with adding a new Global administrator, Global reviewer or Reviewer role, Auditor will
+automatically assign this user the Browser role on the Report Server (SSRS).
+
+The Browser role is required to generate reports. It is granted on all reports — or within a
+delegated scope.
+
+If for some reason Auditor is unable to grant the Browser role, configure it manually. See the
+[SQL Server Reporting Services](/docs/auditor/10.8/requirements/sqlserverreportingservice.md) topic for
+additional information.
+
+### Default Role Assignments
+
+By default, several accounts and local groups are assigned the following roles:
+
+| Account or group name | Role | Details |
+| ---------------------- | -------------------- | ----------------------------------------------------------------------------------------------------------------- |
+| Local Administrators | Global administrator | |
+| Local service accounts | Global administrator | Global administrator Auditor uses system accounts for data processing and interaction between product components. |
+| Auditor Administrators | Global administrator | |
+| Auditor Client Users | Global reviewer | |
+
+#### Delegating Control via Windows Group Membership
+
+During the Auditor Server installation, Netwrix Auditor Administrators and Netwrix Auditor Client
+Users groups are created automatically. To delegate control via group membership, you need to add
+users to these groups on the computer where Auditor Server resides.
+
+Users will be granted roles with extended permissions. You may need to limit their scope to a
+specific monitoring plan.
+
+Follow the steps to add an account to a group.
+
+**Step 1 –** On the computer where Auditor Server is installed, start the Local Users and Computers
+snap-in.
+
+**Step 2 –** Navigate to the **Groups** node and locate the Netwrix Auditor Administrators or
+Netwrix Auditor Client Users group.
+
+**Step 3 –** In the group properties, click **Add**.
+
+Specify users you want to be included in this group.
+
+
+
+**NOTE:** For additional information about User Activity video access management, see the
+[Configure Video Recordings Playback Settings](/docs/auditor/10.8/configuration/useractivity/videorecordings.md)
+topic.
+
+## Provide Access to a Limited Set of Data
+
+By default, only users designated in Auditor are allowed to view its configuration and collected
+data. This policy ensures that only authorized and trustworthy users access sensitive data and make
+changes.
+
+However, in some cases, organizations need to provide certain employees with access to a limited set
+of audit data. For example, an auditor might need to review particular access reports once or twice
+a year. You can provide these users (recipients) with means to review the data they need without
+actually running Auditor. This ensures that dedicated specialists have access to the data while
+preventing data breaches and ensuring that sensitive data is not being distributed across the whole
+company.
+
+Netwrix recommends granting limited access permissions to employees who need to:
+
+- Review audit data periodically in accordance with company policy
+- Review audit data accumulated over time
+- Be notified only in case of a rare incident
+
+To grant limited access to audit data, you can:
+
+| Do.. | Recommended use |
+| ----------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Schedule email report subscriptions | This is helpful when you want to share information with a group of employees, external consultants, auditors, and so on. Reports are sent according to a specified schedule and recipients can review them, but they do not have any other means to access audit data. Basically, this option is enough for employees who are interested in a high-level summary—for example, an auditor who performs monthly access rights attestation on critical folders or a senior manager. |
+| Publish reports to file shares | This scenario works great for a helpdesk with several departments. Assume, each department has its own field of responsibility and must not disclose information to other departments. You can configure Auditor to publish reports to folders that can be accessed by employees from a specific department only. You might set up the following folders and permissions: - The user support team has access to a folder with reports on account lockouts and password resets. - File server helpdesk personnel have access to a different folder with daily reports listing all file removals. - The helpdesk supervisor has access to both folders. |
+| Configure alerts | This is helpful for rare occasions when you have to notify some senior specialists about critical system state that has to be addressed immediately, e.g., CISO must mitigate risks in the event of massive deletions in the sensitive data storage. |
diff --git a/docs/auditor/10.8/admin/monitoringplans/exchange/_category_.json b/docs/auditor/10.8/admin/monitoringplans/exchange/_category_.json
new file mode 100644
index 0000000000..d00e7f2246
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/exchange/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Exchange",
+ "position": 70,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/monitoringplans/exchange/overview.md b/docs/auditor/10.8/admin/monitoringplans/exchange/overview.md
new file mode 100644
index 0000000000..b876183ef5
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/exchange/overview.md
@@ -0,0 +1,47 @@
+---
+title: "Exchange"
+description: "Exchange"
+sidebar_position: 70
+---
+
+# Exchange
+
+**NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in
+the following topics:
+
+- [Protocols and Ports Required](/docs/auditor/10.8/requirements/ports.md) – To ensure successful data
+ collection and activity monitoring configure necessary protocols and ports for inbound and
+ outbound connections
+- [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to
+ audit your IT systems
+
+- [Exchange](/docs/auditor/10.8/configuration/exchange/overview.md) – Configure data source as required to be
+ monitored
+
+Complete the following fields:
+
+| Option | Description |
+| -------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. |
+| Detect additional details | Specify additional information to include in reports and activity summaries. Select Group membershipif you want to include Group membership of the account under which the change was made. |
+| Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. |
+| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Exchange](/docs/auditor/10.8/configuration/exchange/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. |
+| Collect data on non-owner access to mailboxes | Enable monitoring of unauthorized access to mailboxes within your Exchange Online organization. Configure the following: - Notify users if someone gained access to their mailboxes — Select this checkbox if you want to notify users on non-owner access events to their mailboxes. - Notify only specific users — Select this checkbox and click Add Recipient to specify the list of users who will receive notifications on non-owner access to their mailboxes. Users not included in this list will not be notified. - Enable automatic audit configuration— If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. See the [Exchange](/docs/auditor/10.8/configuration/exchange/overview.md) and [Exchange Online](/docs/auditor/10.8/configuration/microsoft365/exchangeonline/overview.md) topics for additional information about the audit settings required for Auditor to collect comprehensive audit data and instructions on how to configure them. If you select to automatically configure audit in the target environment, your current audit settings will be checked on each data collection and adjusted if necessary. |
+
+Review your data source settings and click **Add** to go back to your plan. The newly created data
+source will appear in the **Data source** list. As a next step, click **Add item** to specify an
+object for monitoring. See the
+[Add Items for Monitoring](/docs/auditor/10.8/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional
+information.
+
+## Domain
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Specify Active Directory domain | Specify the audited domain name in the FQDN format. For example, "_company.local_". |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.8/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information. |
+
+See the [Permissions for Exchange Auditing](/docs/auditor/10.8/configuration/exchange/permissions.md) topic
+for additional information.
diff --git a/docs/auditor/10.8/admin/monitoringplans/exchange/scope.md b/docs/auditor/10.8/admin/monitoringplans/exchange/scope.md
new file mode 100644
index 0000000000..0b9be8407c
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/exchange/scope.md
@@ -0,0 +1,63 @@
+---
+title: "Exchange Monitoring Scope"
+description: "Exchange Monitoring Scope"
+sidebar_position: 10
+---
+
+# Exchange Monitoring Scope
+
+You can fine-tune Auditor by specifying data that you want to exclude from the Exchange monitoring
+scope. In addition, you can exclude data from non-owner access auditing.
+
+- Exchange Monitoring Scope
+- To exclude users or mailboxes from the Mailbox Access monitoring scope
+
+Follow the steps to exclude data from the Exchange monitoring scope:
+
+**Step 1 –** Navigate to the _%Netwrix Auditor installation folder%\Active Directory Auditing_
+folder.
+
+**Step 2 –** Edit the \*.txt files, based on the following guidelines:
+
+- Each entry must be a separate line.
+- A wildcard (\*) is supported. You can use \* for cmdlets and their parameters.
+- Lines that start with the # sign are treated as comments and are ignored.
+
+| File | Description | Syntax |
+| ------------------------ | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| aal_omitlist.txt | For Exchange 2010 and above, the file contains a list of changes performed by cmdlets. To exclude a change from reports, specify name of a cmdlet and the attribute that is changed by the selected cmdlet. | `cmdlet.attrname` For example: `Set-User` `Set-ContactSet-Group` `#Update-AddressList` `Add-ADPermissionRemove-ADPermission` `#RBAC:` `*-MailboxAuditLogSearch` `*-AdminAuditLogSearch` |
+| aal_propnames.txt | For Exchange 2010 and above, the file contains a list of human-readable names of changed attributes to be displayed in change reports. To exclude a change from the reports, specify name of a cmdlet and the attribute that is changed by the selected cmdlet. | `classname.attrname= intelligiblename` For example: `*-OutlookAnywhere.SSLOffloading = Allow secure channel (SSL) offloading` |
+| omitobjlist_ecr.txt | Contains a list of human-readable names of object classes to be excluded from change reports. | `Classname` For example: `exchangeAdminService` `msExchMessageDeliveryConfig` `Exchange_DSAccessDC` |
+| omitpathlist_ecr.txt | Contains a list of AD paths to be excluded from change reports. | `Path` For example: `*\Microsoft Exchange System Objects\SystemMailbox*` |
+| omitproplist_ecr.txt | Contains a list of object types and properties to be excluded from change reports. | `object_type.property_name` If there is no separator (.) between an object type and a property, the whole entry is treated as an object type. For example: `msExchSystemMailbox.*` `*.msExchEdgeSyncCredential` `*.msExchMailboxMoveTargetMDBLink` `*.adminDescription` |
+| omitreporterrors_ecr.txt | Contains a list of errors to be excluded from Activity Summaries. | `Error message text` For example, to omit the error “The HTTP service used by Public Folders is not available, possible causes are that Public stores are not mounted and the Information Store service is not running. ID no: c1030af3”, add `*c1030af3*` to the file. |
+| omitstorelist_ecr.txt | Contains a list of classes and attributes names to be excluded from Exchange snapshots. | `object_type.property_name` If there is no separator (.) between an object type and a property, the whole entry is treated as an object type. For example: `Exchange_Server.AdministrativeGroup` `Exchange_Server.AdministrativeNote` `Exchange_Server.CreationTime` |
+| propnames_ecr2007.txt | Contains a list of human-readable names for object classes and attributes of Exchange 2007 to be displayed in change reports. | `classname.attrname= intelligiblename` For example: `msExchMDBAvailabilityGroup= Database Availability Group` |
+
+To exclude users or mailboxes from the Mailbox Access monitoring scope
+
+Auditor allows specifying users and mailboxes that you do not want to monitor for non-owner mailbox
+access events. To do this, edit the mailboxestoexclude.txt, userstoexclude.txt, and
+agentomitusers.txt files.
+
+Follow the steps to exclude data from Exchange Online monitoring scope
+
+**Step 1 –** Navigate to the _%Netwrix Auditor installation folder%\Non-owner Mailbox Access
+Reporter for Exchange_ folder.
+
+**Step 2 –** Edit mailboxestoexclude.txt, userstoexclude.txt, or agentomitusers.txt files, based on
+the following guidelines:
+
+- Each entry must be a separate line.
+- A wildcard (\*) is supported. You can use \* for cmdlets and their parameters.
+- Lines that start with the # sign are treated as comments and are ignored.
+
+You can also limit your reports by specific mailboxes. Edit the mailboxestoinclude.txt file to
+specify mailboxes.
+
+| File | Description | Syntax |
+| ---------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| mailboxestoexclude.txt | This file contains a list of mailboxes and folders that must be excluded from data collection. | Each entry must be a separate line. Wildcards (\*) can be used to replace any number of characters. - To exclude the certain user's mailbox, enter `username@domainname` , e.g.`john.smith@acme.com` - To exclude the certian folder, enter `username@domainname/foldername` , e.g. `john.smith@acme.com/Drafts ` - Use \*to exclude multiple mailboxes or folders, e.g. `*/foldername` will exclude the specified folder when processing all mailboxes. Examples: `*admin*@corp.com` `*/Drafts` - exclude _Drafts_ folder (for all mailboxes) `*/Testfolder/*` - exclude subfolders of _Testfolder_ (for all mailboxes) |
+| mailboxestoinclude.txt | This file contains a list of mailboxes that must be included when collecting data. For the mailboxes added to this list, the reports will contain only non-owner access events. | Specify email address to be included in the list as `username@domainname.` Example: `analyst@enterprise.com` |
+| userstoexclude.txt | This file contains a list of users who must be excluded from reports if they perform non-owner access attempt for mailboxes (audit data on these users will still be stored in the state-in-time snapshots). If a user is removed from this list, the information on this user’s actions can be viewed with the Report Viewer. | `DOMAIN\username` |
+| agentomitusers.txt | This file contains a list of users who must be excluded from reports and snapshots. If a user is removed from this list, audit data on this user will only be available after the next data collection. Writing new users to this file affects reports and snapshots only if Network traffic compression is enabled. | `DOMAIN\username` |
diff --git a/docs/auditor/10.8/admin/monitoringplans/exchangeonline/_category_.json b/docs/auditor/10.8/admin/monitoringplans/exchangeonline/_category_.json
new file mode 100644
index 0000000000..17592919a5
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/exchangeonline/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Exchange Online",
+ "position": 80,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/monitoringplans/exchangeonline/overview.md b/docs/auditor/10.8/admin/monitoringplans/exchangeonline/overview.md
new file mode 100644
index 0000000000..b5555845ca
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/exchangeonline/overview.md
@@ -0,0 +1,122 @@
+---
+title: "Exchange Online"
+description: "Exchange Online"
+sidebar_position: 80
+---
+
+# Exchange Online
+
+**NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in
+the following topics:
+
+- [Protocols and Ports Required](/docs/auditor/10.8/requirements/ports.md) – To ensure successful data
+ collection and activity monitoring configure necessary protocols and ports for inbound and
+ outbound connections
+- [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to
+ audit your IT systems
+
+- [Exchange Online](/docs/auditor/10.8/configuration/microsoft365/exchangeonline/overview.md) – Configure data
+ source as required to be monitored
+
+## How to add Exchange Online Monitoring Plan
+
+This instruction shows how to collect audit data from the Microsoft 365 tenant.
+
+If you plan to use modern authentication, see the
+[Configuring Microsoft Entra ID App for Auditing Microsoft Entra ID](/docs/auditor/10.8/configuration/microsoft365/microsoftentraid/permissions/modernauth/modernauth.md#configuring-microsoft-entra-id-app-for-auditing-microsoft-entra-id)
+topic for additional information on how to prepare Microsoft Entra ID app with required permissions.
+Make sure you have the following at hand:
+
+- Tenant name
+- For modern authentication: Application (client) ID
+- Application secret
+- For basic authentication: User name and password
+
+Types of data that can be collected by Netwrix Auditor from the Microsoft 365 tenant depend on the
+authentication option you choose.
+
+Follow the steps to configure Office 365 tenant as a monitored item.
+
+**Step 1 –** On the **General** page of the item properties, specify **Tenant name**:
+
+- If you are going to use **Basic authentication**, you can proceed to the next step – **Tenant
+ name** will be filled in automatically after it.
+
+- **NOTE:** Basic authentication is no longer possible for Exchange Online. For the already existing
+ tenants it is still possible to use basic authentication for SharePoint Online and Microsoft Entra
+ ID monitoring.
+
+- If you are going to use **Modern authentication**, paste the obtained name. See the
+ [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.8/configuration/microsoft365/microsoftentraid/permissions/modernauth/modernauth.md)
+ topic for additional information.
+
+
+
+If you are using a government tenant, please click the **Tenant Environment** tab and select the
+desired tenant environment.
+
+**Step 2 –** Select authentication method that will be used when accessing Office 365 services:
+
+- Basic authentication:
+
+ - Selected, Office 365 organization will be accessed on behalf of the user you specify.
+ - Enter **User name** and **password**; use any of the following formats: _user@domain.com_ or
+ _user@domain.onmicrosoft.com_.
+ - The **Tenant name** field then will be filled in automatically.
+ - Make sure this user account has sufficient access rights. See
+ [Using Basic Authentication with Microsoft Entra ID](/docs/auditor/10.8/configuration/microsoft365/microsoftentraid/permissions/basicauth.md)
+ topic for additional information.
+
+- Modern authentication:
+
+ - Selected, Office 365 organization will be accessed using the Microsoft Entra ID (formerly
+ Azure AD) app you prepared. Enter:
+
+ - **Application ID**;
+
+ - **Application secret**.
+
+ - See the
+ [Using Modern Authentication with Microsoft Entra ID](/docs/auditor/10.8/configuration/microsoft365/microsoftentraid/permissions/modernauth/modernauth.md)
+ for additional information.
+
+**Step 3 –** Click the **Add** button.
+
+
+
+You can use a single account to collect audit data for different Office 365 services (Microsoft
+Entra ID, Exchange Online, SharePoint Online); however, Netwrix recommends that you specify
+individual credentials for each of them.
+
+If you plan to collect and report on the audit data for Exchange Online non-owner mailbox access,
+consider that the value shown in the "_Who_" field in reports and search results will be displayed
+in UPN format (unlike the earlier Netwrix Auditor versions). This refers to the following scenarios:
+
+- All new installations
+- Upgrade from the previous versions if:
+
+ - Modern authentication is selected in the item settings after the upgrade.
+
+ OR
+
+ - Modern authentication has ever been selected in the item settings and reverted back to Basic
+ later
+
+**Step 4 –** Complete the following fields:
+
+| Option | Description |
+| -------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Monitor this data source and collect activity data | |
+| Configure audit settings | See the [Exchange Online](/docs/auditor/10.8/configuration/microsoft365/exchangeonline/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. |
+| Collect data for state-in-time reports | Configure Netwrix Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.8/admin/reports/types/stateintime/overview.md) topic for additional information. |
+| Collect data on non-owner access to mailboxes | Monitor access to mailboxes by users other than the mailbox owner, including delegate access and shared mailbox activities. |
+| Collect data on owner access to mailboxes | **NEW IN 10.8:** Monitor mailbox owner activities including mass email deletions, folder permission changes, and inbox rule modifications. This provides enhanced visibility into potentially suspicious owner activities that could indicate compromised accounts or insider threats. |
+
+Review your data source settings and click **Add** to go back to your plan. The newly created data
+source will appear in the **Data source** list. As a next step, click **Add item** to specify an
+object for monitoring. See the
+[Add Items for Monitoring](/docs/auditor/10.8/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional
+information.
+
+See the [Microsoft 365](/docs/auditor/10.8/configuration/microsoft365/overview.md) topic for additional
+information.
diff --git a/docs/auditor/10.8/admin/monitoringplans/exchangeonline/scope.md b/docs/auditor/10.8/admin/monitoringplans/exchangeonline/scope.md
new file mode 100644
index 0000000000..0bc6cb9e14
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/exchangeonline/scope.md
@@ -0,0 +1,28 @@
+---
+title: "Exchange Online Monitoring Scope"
+description: "Exchange Online Monitoring Scope"
+sidebar_position: 10
+---
+
+# Exchange Online Monitoring Scope
+
+You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Exchange
+Online monitoring scope.
+
+Follow the steps to exclude data from Exchange Online monitoring scope:
+
+**Step 1 –** Navigate to the _%Netwrix Auditor installation folder%\Exchange Online Auditing_
+folder.
+
+**Step 2 –** Edit the \*.txt files, based on the following guidelines:
+
+- Each entry must be a separate line.
+- A wildcard (\*) is supported. You can use \* for cmdlets and their parameters.
+- Lines that start with the # sign are treated as comments and are ignored.
+
+| File | Description | Syntax |
+| ---------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| omitlist.txt | The file contains a list of changes performed by cmdlets. To exclude a change from reports, search results and Activity Summaries, specify name of a cmdlet and the attribute that is changed by the selected cmdlet. | `cmdlet` For example: `Enable-OrganizationCustomization` `New-AdminAuditLogSearch` `New-MailboxAuditLogSearch` `cmdlet.param` For example: `*.Identity` `*.DomainController` `*.Organization` `*.IgnoreDefaultScope` `*.Force` `*.Confirm` `*.Password` `*-ManagementRoleEntry.Parameters` `Remove-PublicFolder.Recurse` |
+| omitpathlist.txt | Contains a list of paths to be excluded from reports, search results and Activity Summaries. | `path` For example: `SystemMailbox{*}` `DiscoverySearchMailbox{*}` `FederatedEmail.*` You can use a wildcard (\*) to replace any number of characters in the path. |
+| omituserlist.txt | Contains a list of user names to be excluded from reports, search results and Activity Summaries. | `domain\user` For example: `Enterprise\analyst` `email address` For example: `analyst@Enterprise.onmicrosoft.com` |
+| propnames.txt | Contains a list of human-readable names for object classes and their and their properties to be displayed in search results, reports and Activity Summaries. | `cmdletobject=friendlyname` `cmdlet.param=friendlyname` For example: `RoleGroupMember = Role Group` `UMHuntGroup = Unified Messaging Hunt Group` |
diff --git a/docs/auditor/10.8/admin/monitoringplans/fileservers/_category_.json b/docs/auditor/10.8/admin/monitoringplans/fileservers/_category_.json
new file mode 100644
index 0000000000..e15046caf4
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/fileservers/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "File Servers",
+ "position": 90,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md b/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md
new file mode 100644
index 0000000000..0296ad5fae
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md
@@ -0,0 +1,476 @@
+---
+title: "File Servers"
+description: "File Servers"
+sidebar_position: 90
+---
+
+# File Servers
+
+**NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in
+the following topics:
+
+- [Protocols and Ports Required](/docs/auditor/10.8/requirements/ports.md) – To ensure successful data
+ collection and activity monitoring configure necessary protocols and ports for inbound and
+ outbound connections
+- [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to
+ audit your IT systems
+
+- [File Servers](/docs/auditor/10.8/configuration/fileservers/overview.md) – Configure data source as required
+ to be monitored
+
+
+
+Complete the following fields:
+
+- General
+- Monitor this data source and collect activity data – Enable monitoring of the selected data source and configure Auditor to collect and store audit data.
+- Specify actions for monitoring – Specify actions you want to track and auditing mode.
+
+| | |
+|---------------|------------------------------------------------------------------------------------------------------------------------------------------|
+| **Changes** | |
+| Successful | Use this option to track changes to your data. Helps find out who made changes to your files, including their creation and deletion. |
+| Failed | Use this option to detect suspicious activity on your file server. Helps identify potential intruders who tried to modify or delete files, etc., but failed to do it. |
+| **Read access** | |
+| Successful | Use this option to supervise access to files containing confidential data intended for privileged users. Helps identify who accessed important files besides your trusted users. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. |
+| Failed | Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. |
+
+Actions reported by Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, etc. To track the copy action, enable successful read access and change auditing.
+
+- Specify data collection method – You can enable network traffic compression. If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance.
+To collect data from 32-bit operating systems, network traffic compression must be disabled.
+To collect data from Windows Failover Cluster, network traffic compression must be enabled.
+
+- Configure audit settings – You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed.
+Do not select the checkbox if you want to configure audit settings manually. Some settings cannot be configured automatically. The product has the following limitations depending on your file server type
+
+| File Server | SACL Check | SACL Adjust | Policy Check | Policy Adjust | Log Check | Log Adjust |
+|-----------------------------------------|------------|-------------|--------------|---------------|-----------|------------|
+| Windows | + | + | + | + | + | + |
+| Dell Celerra\VNX\Unity | + | + | + | — | + | — |
+| Dell Isilon | n/a | n/a | + | — | + | — |
+| NetApp Data ONTAP 7 and 8 in 7-mode | + | + | + | + | + | + |
+| NetApp Clustered Data ONTAP 8 and ONTAP 9 | + | + | + | + | + | — |
+| Nutanix Files | n/a | n/a | + | — | n/a | n/a |
+
+- Collect data for state-in-time reports – Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation.
+When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions.
+In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected.
+In the Manage historical snapshots section, you can click Manage and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past.
+You must be assigned the Global administrator or the Global reviewer role to import snapshots.
+Move the selected snapshots to the Snapshots available for reporting list using the arrow button.
+The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database.
+
+- Users
+
+- Specify monitoring restrictions – Select the users to be excluded from search results, reports and Activity Summaries. To add users to the list, click Add and provide user name in the domain\user format: *mydomain\user1*.
+ - Use NetBIOS domain name format.
+ - To exclude events containing “System” instead of initiator's account name in the “Who” column, enter "System" value to the list.
+
+In addition to the restrictions for a monitoring plan, you can use the *.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the *.txt files.
+
+Review your data source settings and click **Add** to go back to your plan. The newly created data
+source will appear in the Data source list. As a next step, click Add item to specify an object for
+monitoring.
+
+| |
+| ------------------- |
+| Windows File Server |
+| Dell Data storage |
+| NetApp storage |
+| Nutanix File Server |
+
+By default, Auditor will monitor all shares stored in the specified location, except for hidden
+shares (both default and user-defined). If you want to monitor user-defined hidden shares, select
+the related option in the monitored item settings.
+
+Administrative hidden shares like default system root or Windows directory (_ADMIN$_), default drive
+shares (_D$, E$_), etc. will not be monitored. See the
+[Add Items for Monitoring](/docs/auditor/10.8/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional
+information.
+
+_Remember,_ before adding your monitored items, examine the considerations, limitations and
+recommendations provided in the following sections:
+
+- [DFS-Related Constraints](/docs/auditor/10.8/configuration/fileservers/windows/overview.md#dfs-related-constraints)
+- [Supported File Servers and Devices](/docs/auditor/10.8/configuration/fileservers/overview.md#supported-file-servers-and-devices)
+- [State-in-Time Data](/docs/auditor/10.8/configuration/fileservers/overview.md#state-in-time-data)
+- [Sensitive Data](/docs/auditor/10.8/configuration/fileservers/overview.md#sensitive-data)
+
+## Dell VNX VNXe
+
+Dell VNX, VNXe, Celerra, and Unity NAS devices are collectively referred to as Dell Data Storage.
+
+Complete the following fields:
+
+| Option | Description |
+| ----------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General | |
+| Specify Dell VNX/VNXe, Celerra or Unity storage array | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. |
+| Scope | |
+| Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. |
+| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. See the Fine-tune Monitoring Scope for additional information on how to narrow your monitoring scope. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.8/admin/monitoringplans/overview.md)topic for additional information. |
+
+### Fine-tune Monitoring Scope
+
+To audit all file shares, under Specify monitoring restrictions, select Monitor all file shares in
+the array.
+
+
+
+You can also create lists of specific file shares to include and/or exclude from being audited.
+
+#### Include a File Share
+
+Follow the steps to include a file share.
+
+**Step 1 –** Under Specify monitoring restrictions, select Specific file shares.
+
+**Step 2 –** Click Add Inclusion.
+
+**Step 3 –** Provide UNC path to a shared resource. For example: _NewStation\Shared._
+
+**Step 4 –** Do not specify a default file share mapped to a local drive (e.g., \\Server\e$).
+
+#### Exclude Specific Data
+
+Follow the steps to exclude specific data.
+
+Click Add Exclusion. Then, in the Specify Filters dialog, do the following:
+
+**Step 5 –** Provide the path to the file share where you are going to exclude some audit data. Use
+the path format as it appears in the "_What_" column of reports and Activity Summaries — for
+example, _\\corpsrv\shared_.
+
+**Step 6 –** You can use a wildcard (\*) only if you need to exclude user activity on this file
+share. For other data types (_state-in-time_ or _all data_) wildcards are not supported. This refers
+to the specified shared folder, its subfolders and files.
+
+**Step 7 –** Select what type of data you want to exclude:
+
+| Option | Description | Example |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **All Data** | Select if you want to completely exclude the specified file share from being audited. The product will not collect any user activity or state-in-time data. **NOTE:** In this case,Auditor does not adjust audit settings automatically for the selected folders. | A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Thus, s/he configures the product not to monitor this folder at all. |
+| State-in-Time | Select to configure Auditor to exclude data for the state-in-time reports from the monitoring scope. | A Security Officer wants to monitor a file share, but it contains a folder with a huge amount of objects, so s/he does not want Auditor to collect state-in-time data for this folder. |
+| **User Activity** | Select to exclude actions performed by specific users on the selected file share. See the procedure below for details. **NOTE:** In this case, the product still collects stat-in-time data for this share. | A Security Officer wants to monitor a file share that contains a public folder for which s/he does not want to collect _Read_ operations. |
+
+**Follow the steps to exclude specific user activity.**
+
+**Step 1 –** Specify what user accounts should be excluded:
+
+- All Users — Select to exclude the activity of any user on the file share you specified.
+- These users— Select to exclude specific users' activity. Provide user names as shown in the
+ "_Who_" column in reports and Activity Summaries, e.g., _MyDomain\user1_. To enter multiple
+ accounts, use comma as a separator.
+
+**Step 2 –** Specify what actions should be excluded:
+
+- All actions — Exclude all actions of the selected users
+- These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_.
+
+
+
+**Step 3 –** After configuring all filters, click **Add** to save them and return to the item
+settings.
+
+## Dell Isilon
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General | |
+| Specify Dell Isilon storage array | Provide the IP address or the host name of the name server used to connect to your access zone. For example, _account.corp.lab_ |
+| Access Zone | Enter the name of access zone partition within your EMC Isilon cluster. For example, _zone_account_ |
+| OneFS web administration interface URL | Enter Dell Isilon web administration URL (e.g., _https://isiloncluster.corp.lab:8080_). This URL is used to get configuration details about your Isilon cluster via OneFS API. |
+| File Share UNC path to audit logs | Path to the file share located on a Dell Isilon with event log files (e.g., _\\srv\netwrix_audit$\logs_). |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. |
+| Scope | |
+| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. See the Fine-tune Monitoring ScopeFine-tune Monitoring Scopetopic for additional information about how to narrow your monitoring scope. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.8/admin/monitoringplans/overview.md)topic for additional information. |
+
+### Configure the Scope
+
+You can configure Netwrix Auditor to audit all file shares except for ones added as exclusions. For
+that, under Specify monitoring restrictions, select All file shares in the array. You can also
+create lists of specific file shares to include and/or exclude from being audited. Review the
+following for additional information:
+
+- Add Inclusion
+- Add Exclusion
+
+### Add Inclusion
+
+Follow the steps to add inclusion.
+
+**Step 1 –** Under Specify monitoring restrictions, select Specific file shares.
+
+**Step 2 –** Click Add Inclusion.
+
+**Step 3 –** Provide UNC path to a shared resource. For example: _NewStation\Shared._
+
+Do not specify a default file share mapped to a local drive (e.g., \\Server\e$).
+
+### Add Exclusion
+
+Follow the steps to add exclusion.
+
+Click Add Exclusion. Then, in the Specify Filters dialog, do the following:
+
+**Step 4 –** Provide the path to the file share where you are going to exclude some audit data. Use
+the path format as it appears in the "_What_" column of reports and Activity Summaries — for
+example, _\\corpsrv\shared_.
+
+**Step 5 –** You can use a wildcard (\*) only if you need to exclude user activity on this file
+share. For other data types (_state-in-time_ or _all data_) wildcards are not supported. This refers
+to the specified shared folder, its subfolders and files.
+
+**Step 6 –** Select what type of data you want to exclude:
+
+| Option | Description | Example |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **All Data** | Select if you want to completely exclude the specified file share from being audited. The product will not collect any user activity or state-in-time data. **NOTE:** In this case,Auditor does not adjust audit settings automatically for the selected folders. | A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Thus, s/he configures the product not to monitor this folder at all. |
+| State-in-Time | Select to configure Auditor to exclude data for the state-in-time reports from the monitoring scope. | A Security Officer wants to monitor a file share, but it contains a folder with a huge amount of objects, so s/he does not want Auditor to collect state-in-time data for this folder. |
+| **User Activity** | Select to exclude actions performed by specific users on the selected file share. See the procedure below for details. **NOTE:** In this case, the product still collects stat-in-time data for this share. | A Security Officer wants to monitor a file share that contains a public folder for which s/he does not want to collect _Read_ operations. |
+
+**Follow the steps to exclude specific user activity.**
+
+**Step 1 –** Specify what user accounts should be excluded:
+
+- All Users — Select to exclude the activity of any user on the file share you specified.
+- These users— Select to exclude specific users' activity. Provide user names as shown in the
+ "_Who_" column in reports and Activity Summaries, e.g., _MyDomain\user1_. To enter multiple
+ accounts, use comma as a separator.
+
+**Step 2 –** Specify what actions should be excluded:
+
+- All actions — Exclude all actions of the selected users
+- These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_.
+
+
+
+**Step 3 –** After configuring all filters, click **Add** to save them and return to the item
+settings.
+
+## NetApp
+
+Complete the following fields:
+
+| Option | Description |
+| ------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General | |
+| Specify NetApp file server | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. |
+| File share UNC path to audit logs | Select one of the following: - Detect automatically—If selected, a shared resource will be detected automatically. - Use this path—UNC path to the file share located on a NetApp Filer with event log files (e.g., _\\CORP\ETC$\log_). |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. |
+| ONTAPI/ONTAP REST API | |
+| Specify protocol for accessing ONTAPI/ONTAP REST API | Select one of the following: - Detect automatically—If selected, a connection protocol will be detected automatically. - HTTP - HTTPS Refer to [Netwrix Auditor Installation and Configuration Guide](https://www.netwrix.com/download/documents/Netwrix_Auditor_Installation_Configuration_Guide.pdf) for detailed instructions on how to enable HTTP or HTTPS admin access. NOTE: ONTAP REST API works only over HTTPS protocol |
+| Specify management interface | Select management interface to connect to ONTAPI/ONTAP REST API. If you want to use custom management interface for ONTAPI/ONTAP REST API, select Custom and provide a server name by entering its FQDN, NETBIOS or IP address. |
+| Specify account for connecting to ONTAPI/ONTAP REST API | Select an account to connect to NetApp and collect data through ONTAPI/ONTAP REST API. If you want to use a specific account (other than the one you specified on the General tab), select **Custom** and enter credentials. The credentials are case sensitive. Take into consideration that even if a custom account is specified, the account selected on the General tab must be a member of the Builtin\Administrators group and have sufficient permissions to access audit logs shared folder and audited shares. [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) |
+| Scope | |
+| Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. **CAUTION:** Monitoring of non-default hidden shares is not supported for NetApp servers in 7-mode. |
+| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Configure Scope how to narrow your monitoring scope. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.8/admin/monitoringplans/overview.md)topic for additional information. |
+
+### Configure Scope
+
+You can configure Netwrix Auditor to audit all file shares except for ones added as exclusions. For
+that, under Specify monitoring restrictions, select All file shares in the array. You can also
+create lists of specific file shares to include and/or exclude from being audited. Review the
+following for additional information:
+
+### Add Inclusion
+
+Follow the steps to add inclusion.
+
+**Step 1 –** Under Specify monitoring restrictions, select Specific file shares.
+
+**Step 2 –** Click Add Inclusion.
+
+**Step 3 –** Provide UNC path to a shared resource. For example: _NewStation\Shared._
+
+NOTE: Do not specify a default file share mapped to a local drive (e.g., \\Server\e$).
+
+### Add Exclusion
+
+Follow the steps to add exclusion.
+
+Click Add Exclusion. Then, in the Specify Filters dialog, do the following:
+
+**Step 4 –** Provide the path to the file share where you are going to exclude some audit data. Use
+the path format as it appears in the "_What_" column of reports and Activity Summaries — for
+example, _\\corpsrv\shared_.
+
+**Step 5 –** You can use a wildcard (\*) only if you need to exclude user activity on this file
+share. For other data types (_state-in-time_ or _all data_) wildcards are not supported. This refers
+to the specified shared folder, its subfolders and files.
+
+**Step 6 –** Select what type of data you want to exclude:
+
+| Option | Description | Example |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **All Data** | Select if you want to completely exclude the specified file share from being audited. The product will not collect any user activity or state-in-time data. **NOTE:** In this case,Auditor does not adjust audit settings automatically for the selected folders. | A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Thus, s/he configures the product not to monitor this folder at all. |
+| State-in-Time | Select to configure Auditor to exclude data for the state-in-time reports from the monitoring scope. | A Security Officer wants to monitor a file share, but it contains a folder with a huge amount of objects, so s/he does not want Auditor to collect state-in-time data for this folder. |
+| **User Activity** | Select to exclude actions performed by specific users on the selected file share. See the procedure below for details. **NOTE:** In this case, the product still collects stat-in-time data for this share. | A Security Officer wants to monitor a file share that contains a public folder for which s/he does not want to collect _Read_ operations. |
+
+**Follow the steps to exclude specific user activity.**
+
+**Step 1 –** Specify what user accounts should be excluded:
+
+- All Users — Select to exclude the activity of any user on the file share you specified.
+- These users— Select to exclude specific users' activity. Provide user names as shown in the
+ "_Who_" column in reports and Activity Summaries, e.g., _MyDomain\user1_. To enter multiple
+ accounts, use comma as a separator.
+
+**Step 2 –** Specify what actions should be excluded:
+
+- All actions — Exclude all actions of the selected users
+- These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_.
+
+
+
+**Step 3 –** After configuring all filters, click **Add** to save them and return to the item
+settings.
+
+## Nutanix Files
+
+**NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in
+the following topics:
+
+- [Protocols and Ports Required](/docs/auditor/10.8/requirements/ports.md) – To ensure successful data
+ collection and activity monitoring configure necessary protocols and ports for inbound and
+ outbound connections
+- [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to
+ audit your IT systems
+
+Complete the following fields:
+
+- Monitor this data source and collect activity data – Enable monitoring of the selected data source and configure Auditor to collect and store audit data.
+- Specify actions for monitoring – Specify actions you want to track and auditing mode.
+
+| | |
+|---------------|------------------------------------------------------------------------------------------------------------------------------------------|
+| **Changes** | |
+| Successful | Use this option to track changes to your data. Helps find out who made changes to your files, including their creation and deletion. |
+| Failed | Use this option to detect suspicious activity on your file server. Helps identify potential intruders who tried to modify or delete files, etc., but failed to do it. |
+| **Read access** | |
+| Successful | Use this option to supervise access to files containing confidential data intended for privileged users. Helps identify who accessed important files besides your trusted users. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. |
+| Failed | Use this option to track suspicious activity. Helps find out who was trying to access your private data without proper justification. Enabling this option on public shares will result in high number of events generated on your file server and the amount of data written to the Long-Term Archive. |
+
+Actions reported by Auditor vary depending on the file server type and the audited object (file, folder, or share). The changes include creation, modification, deletion, moving, etc. To track the copy action, enable successful read access and change auditing.
+
+- Specify data collection method – You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance.
+
+- Configure audit settings – You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Supported Data Sources](/docs/auditor/10.8/requirements/supporteddatasources/supporteddatasources.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. Netwrix Auditor can configure the following settings:
+ - Policy Check
+ - Policy Adjust
+
+- Collect data for state-in-time reports – Configure Auditor to store daily snapshots of your system configuration required for further state-in-time reports generation. See the [State–In–Time Reports](/docs/auditor/10.8/admin/reports/types/stateintime/overview.md) topic for additional information. When auditing file servers, changes to effective access permissions can be tracked in addition to audit permissions. By default, Combination of file and share permissions is tracked. File permissions define who has access to local files and folders. Share permissions provide or deny access to the same resources over the network. The combination of both determines the final access permissions for a shared folder—the more restrictive permissions are applied. Upon selecting Combination of file and share permissions only the resultant set will be written to the Audit Database. Select File permissions option too if you want to see difference between permissions applied locally and the effective file and share permissions set. To disable auditing of effective access, unselect all checkboxes under Include details on effective permissions. In the Schedule state-in-time data collection section, you can select a custom weekly interval for snapshots collection. Click Modify and select day(s) of week you want your snapshot to be collected. In the Manage historical snapshots section, you can click **Manage** and select the snapshots that you want to import to the Audit Database to generate a report on the data source's state at the specific moment in the past. You must be assigned the Global administrator or the Global reviewer role to import snapshots. Move the selected snapshots to the Snapshots available for reporting list using the arrow button. The product updates the latest snapshot on the regular basis to keep users up to date on actual system state. Users can also configure Only the latest snapshot is available for reporting in Auditor. If you want to generate reports based on different snapshots, you must import snapshots to the Audit Database.
+
+Review your data source settings and click **Add** to go back to your plan. The newly created data
+source will appear in the **Data source** list. As a next step, click **Add item** to specify an
+object for monitoring. See the [Add Items for Monitoring](/docs/auditor/10.8/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional information.
+
+## Nutanix SMB Shares
+
+Complete the following fields:
+
+| Option | Description |
+| -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| **General** | |
+| Specify Nutanix File Server | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. If you need to audit a 3-node cluster, it is recommended to use FQDN or NETBIOS name. |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for more information. |
+| Specify listening port for incoming connections | Provide the name of the TCP port to listen to notifications on the operations with Nutanix file shares. Default is **9898**. For details on how to open the port, refer to the [Nutanix Ports](/docs/auditor/10.8/configuration/fileservers/nutanix/ports.md) topic. |
+| **Nutanix File Server REST API** | |
+| Specify account for connecting to Nutanix File Server REST API | Specify the account that will be used to connect to Nutanix REST API. This account should have sufficient privileges on the Nutanix File Server. For details, refer to [Create User Account to Access Nutanix REST API](/docs/auditor/10.8/configuration/fileservers/nutanix/useraccount.md). |
+| **Scope** | |
+| Monitor hidden shares | By default, Netwrix Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. |
+| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Refer to Configure Scope for detailed instructions on how to configure your monitoring scope. Currently, auditing is available for SMB shares only. Auditing of NFS shares is not supported due to known limitations. |
+
+### Configure Scope
+
+You can configure Netwrix Auditor to audit all file shares except for ones added as exclusions. For
+that, under Specify monitoring restrictions, select All file shares in the array. You can also
+create lists of specific file shares to include and/or exclude from being audited. Review the
+following for additional information:
+
+### Add Inclusion
+
+Follow the steps to add inclusion.
+
+**Step 1 –** Under Specify monitoring restrictions, select Specific file shares.
+
+**Step 2 –** Click Add Inclusion.
+
+**Step 3 –** Provide UNC path to a shared resource. For example: _NewStation\Shared._
+
+Do not specify a default file share mapped to a local drive (e.g., \\Server\e$).
+
+### Add Exclusion
+
+Follow the steps to add exclusion.
+
+Click Add Exclusion. Then, in the Specify Filters dialog, do the following:
+
+**Step 4 –** Provide the path to the file share where you are going to exclude some audit data. Use
+the path format as it appears in the "_What_" column of reports and Activity Summaries — for
+example, _\\corpsrv\shared_.
+
+**Step 5 –** You can use a wildcard (\*) only if you need to exclude user activity on this file
+share. For other data types (_state-in-time_ or _all data_) wildcards are not supported. This refers
+to the specified shared folder, its subfolders and files.
+
+**Step 6 –** Select what type of data you want to exclude:
+
+| Option | Description | Example |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **All Data** | Select if you want to completely exclude the specified file share from being audited. The product will not collect any user activity or state-in-time data. **NOTE:** In this case,Auditor does not adjust audit settings automatically for the selected folders. | A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Thus, s/he configures the product not to monitor this folder at all. |
+| State-in-Time | Select to configure Auditor to exclude data for the state-in-time reports from the monitoring scope. | A Security Officer wants to monitor a file share, but it contains a folder with a huge amount of objects, so s/he does not want Auditor to collect state-in-time data for this folder. |
+| **User Activity** | Select to exclude actions performed by specific users on the selected file share. See the procedure below for details. **NOTE:** In this case, the product still collects stat-in-time data for this share. | A Security Officer wants to monitor a file share that contains a public folder for which s/he does not want to collect _Read_ operations. |
+
+**Follow the steps to exclude specific user activity.**
+
+**Step 1 –** Specify what user accounts should be excluded:
+
+- All Users — Select to exclude the activity of any user on the file share you specified.
+- These users— Select to exclude specific users' activity. Provide user names as shown in the
+ "_Who_" column in reports and Activity Summaries, e.g., _MyDomain\user1_. To enter multiple
+ accounts, use comma as a separator.
+
+**Step 2 –** Specify what actions should be excluded:
+
+- All actions — Exclude all actions of the selected users
+- These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_.
+
+
+
+**Step 3 –** After configuring all filters, click **Add** to save them and return to the item
+settings.
+
+## Qumulo
+
+Complete the following fields:
+
+| Option | Description |
+| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| General | |
+| Specify a file server | Provide UNC path to a file server. See the section below for special considerations. Do not specify a default file share mapped to a local drive (e.g., \\Server\e$). |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. |
+| Event Collection | |
+| Specify a host or network resource | Provide UNC path to a file server or an IP range of servers you want to get activity events from. You can select to collect event data from the same server or provide a custom server or IP range. |
+| Specify port and protocol for incoming connections | Use **Port** and **Protocol** to provide the port required for incoming connections (default is **UDP port 514**). |
+| Scope | |
+| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. By default, Netwrix Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). If you want to monitor user-defined hidden shares, select the related option in the monitored item settings. Remember that administrative hidden shares like default system root or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will not be monitored. See the topics on the monitored items for details. |
+
+## Synology
+
+Complete the following fields:
+
+| Option | Description |
+| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| General | |
+| Specify a file server | Provide UNC path to a file server. See the section below for special considerations. Do not specify a default file share mapped to a local drive (e.g., \\Server\e$). |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. |
+| Event Collection | |
+| Specify a host or network resource | Provide UNC path to a file server or an IP range of servers you want to get activity events from. You can select to collect event data from the same server or provide a custom server or IP range. |
+| Specify port and protocol for incoming connections | Use **Port** and **Protocol** to provide the port required for incoming connections (default is **UDP port 514**). |
+| Scope | |
+| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. By default, Netwrix Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). If you want to monitor user-defined hidden shares, select the related option in the monitored item settings. Remember that administrative hidden shares like default system root or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will not be monitored. See the topics on the monitored items for details. |
diff --git a/docs/auditor/10.8/admin/monitoringplans/fileservers/scope.md b/docs/auditor/10.8/admin/monitoringplans/fileservers/scope.md
new file mode 100644
index 0000000000..70e85999b7
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/fileservers/scope.md
@@ -0,0 +1,117 @@
+---
+title: "File Servers Monitoring Scope"
+description: "File Servers Monitoring Scope"
+sidebar_position: 20
+---
+
+# File Servers Monitoring Scope
+
+You can specify data that you want to include into / exclude from the Windows File Server, NetApp
+Filer, and Dell Data Storage (formerly EMC) monitoring scope. For that, you can configure monitoring
+scope in Auditor client UI, as explained in the related section:
+
+- [File Servers](/docs/auditor/10.8/admin/monitoringplans/fileservers/overview.md)
+- Windows File Share
+
+Besides, you can configure exclusions for file servers audit using the special txt files (omit
+lists), as explained below.
+
+Monitoring scope restrictions set up in the UI will apply together with the exclusion settings
+configured in the \*.txt files.
+
+**Follow the steps to exclude data from file server monitoring scope:**
+
+**Step 1 –** Navigate to the _%Netwrix Auditor installation folder%\File Server Auditing_ folder.
+
+**Step 2 –** Edit the \*.txt files, based on the following guidelines:
+
+- Each entry must be a separate line.
+- A wildcard (\*) is supported. You can use \* for cmdlets and their parameters.
+- Lines that start with the # sign are treated as comments and are ignored.
+
+| File | Description | Syntax |
+| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| omitcollectlist.txt | Contains a list of objects to be excluded from being monitored. | `Monitoring plan name,server name, resource path` Wildcards are not supported for the Server Name field. To disable filtering for this field, specify an empty string. For example: `*,,\\\\*\\System Volume Information*` |
+| omiterrors.txt | Contains a list of errors and warnings to be omitted from logging to the Netwrix Auditor System Health event log. | `Monitoring plan name,``````server name,error text` For example: `*,productionserver1.corp.local, *Access is denied*` |
+| omitreportlist.txt | Contains a list of objects to be excluded from reports and Activity Summary emails. In this case audit data is still being collected. | `Monitoring plan name,action,who,object type,resource path,property name` Wildcards are not supported for the action and property name fields. To disable filtering for these fields, specify an empty string. For example: `*,,CORP\\jsmith,*,*,` |
+| omitstorelist.txt | Contains a list of objects to be excluded from being stored to the Audit Archive and showing up in reports. In this case audit data is still being collected. | `Monitoring plan name,action,who ,object type,resource path,property name` Wildcards are not supported for the Change Type and Property Name fields. To disable filtering for these fields, specify an empty string. For example: `*,,*,*,\\\\productionserver1.corp.local\\builds\\*, Attributes` |
+| omitstoreprocesslist.txt | Contains a list of processes to be excluded from being stored to the Audit Archive and showing up in reports. | `Monitoring plan name,resource path, executable path` Only local applications can be excluded. For example: `*,*,*notepad.exe` |
+
+## Windows File Share
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| General | |
+| Specify Windows file share | Provide UNC path to a shared resource. See the section below for special considerations. Do not specify a default file share mapped to a local drive (e.g., \\Server\e$). |
+| Specify the account for collecting data | |
+| Scope | |
+| Specify monitoring restrictions | Refer to Configure Scope for detailed instructions on how to narrow your monitoring scope. By default, Netwrix Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). If you want to monitor user-defined hidden shares, select the related option in the monitored item settings. Remember that administrative hidden shares like default system root or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will not be monitored. See the topics on the monitored items for details. |
+
+### Configure Scope
+
+You can narrow your monitoring scope by adding exclusions.
+
+Click Add Exclusion. Then, in the Specify Filters dialog, do the following:
+
+**Step 3 –** Provide the path to the file share where you are going to exclude some audit data. Use
+the path format as it appears in the "_What_" column of reports and Activity Summaries — for
+example, _\\corpsrv\shared_.
+
+**Step 4 –** You can use a wildcard (\*) only if you need to exclude user activity on this file
+share. For other data types (_state-in-time_ or _all data_) wildcards are not supported. This refers
+to the specified shared folder, its subfolders and files.
+
+**Step 5 –** Select what type of data you want to exclude:
+
+| Option | Description | Example |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **All Data** | Select if you want to completely exclude the specified file share from being audited. The product will not collect any user activity or state-in-time data. **NOTE:** In this case,Auditor does not adjust audit settings automatically for the selected folders. | A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Thus, s/he configures the product not to monitor this folder at all. |
+| State-in-Time | Select to configure Auditor to exclude data for the state-in-time reports from the monitoring scope. | A Security Officer wants to monitor a file share, but it contains a folder with a huge amount of objects, so s/he does not want Auditor to collect state-in-time data for this folder. |
+| **User Activity** | Select to exclude actions performed by specific users on the selected file share. See the procedure below for details. **NOTE:** In this case, the product still collects stat-in-time data for this share. | A Security Officer wants to monitor a file share that contains a public folder for which s/he does not want to collect _Read_ operations. |
+
+**Follow the steps to exclude specific user activity.**
+
+**Step 1 –** Specify what user accounts should be excluded:
+
+- All Users — Select to exclude the activity of any user on the file share you specified.
+- These users— Select to exclude specific users' activity. Provide user names as shown in the
+ "_Who_" column in reports and Activity Summaries, e.g., _MyDomain\user1_. To enter multiple
+ accounts, use comma as a separator.
+
+**Step 2 –** Specify what actions should be excluded:
+
+- All actions — Exclude all actions of the selected users
+- These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_.
+
+
+
+**Step 3 –** After configuring all filters, click **Add** to save them and return to the item
+settings.
+
+### Working with DFS File Shares
+
+Netwrix Auditor supports auditing of DFS and clustered file servers if Object Access Auditing is
+enabled on DFS file shares or on every cluster node.
+
+- When adding a cluster file server for auditing, it is recommended to specify a server name of the
+ **Role** server or a UNC path of the shared folder located on the **Role** server.
+- When adding a DFS file share for auditing, specify a Windows file share item and provide the UNC
+ path of the whole namespace or UNC path of the DFS link (folder). For example:
+ - _"\\domain\dfsnamespace\"_ (domain-based namespace) or _"\\server\dfsnamespace\"_ (in case of
+ stand-alone namespace);
+ - _"\\domain\dfsnamespace\link"_ (domain-based namespace) or _"\\server\dfsnamespace\link"_ (in
+ case of stand-alone namespace).
+- For recommendations on configuring DFS replication, refer to
+ [this Knowledge Base article](https://www.netwrix.com/kb/2103).
+
+### Working with Mount Points
+
+You can specify a mount point as a monitored item. However, consider the following:
+
+- If a mount point represents a shared folder, then the objects in its root will be initially
+ collected by Netwrix Auditor and appear as processed by _System_ account. Wait for the next data
+ collections - then all actions for these objects will be monitored in a normal way.
+- To monitor the mount points targeted at the subfolder of a file share, provide network path to the
+ target subfolder.
diff --git a/docs/auditor/10.8/admin/monitoringplans/fileservers/windowsfileserver.md b/docs/auditor/10.8/admin/monitoringplans/fileservers/windowsfileserver.md
new file mode 100644
index 0000000000..ee05a6068a
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/fileservers/windowsfileserver.md
@@ -0,0 +1,223 @@
+---
+title: "Windows File Server"
+description: "Windows File Server"
+sidebar_position: 10
+---
+
+# Windows File Server
+
+**NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in
+the following topics:
+
+- [Protocols and Ports Required](/docs/auditor/10.8/requirements/ports.md) – To ensure successful data
+ collection and activity monitoring configure necessary protocols and ports for inbound and
+ outbound connections
+- [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to
+ audit your IT systems
+
+## Windows File Share
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General | |
+| Specify Windows file share | Provide UNC path to a shared resource. See the section below for special considerations. Do not specify a default file share mapped to a local drive (e.g., \\Server\e$). |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information. |
+| Scope | |
+| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. See the Configure Scope topic for additional information on how to narrow your monitoring scope. By default, Netwrix Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). If you want to monitor user-defined hidden shares, select the related option in the monitored item settings. Remember that administrative hidden shares like default system root or Windows directory (ADMIN$), default drive shares (D$, E$), etc. will not be monitored. See the topics on the monitored items for details. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.8/admin/monitoringplans/overview.md)topic for additional information. |
+
+### Configure Scope
+
+You can narrow your monitoring scope by adding exclusions.
+
+Click Add Exclusion. Then, in the Specify Filters dialog, do the following:
+
+**Step 1 –** Provide the path to the file share where you are going to exclude some audit data. Use
+the path format as it appears in the "_What_" column of reports and Activity Summaries — for
+example, _\\corpsrv\shared_.
+
+**Step 2 –** You can use a wildcard (\*) only if you need to exclude user activity on this file
+share. For other data types (_state-in-time_ or _all data_) wildcards are not supported. This refers
+to the specified shared folder, its subfolders and files.
+
+**Step 3 –** Select what type of data you want to exclude:
+
+| Option | Description | Example |
+| ----------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **All Data** | Select if you want to completely exclude the specified file share from being audited. The product will not collect any user activity or state-in-time data. **NOTE:** In this case,Auditor does not adjust audit settings automatically for the selected folders. | A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Thus, s/he configures the product not to monitor this folder at all. |
+| State-in-Time | Select to configure Auditor to exclude data for the state-in-time reports from the monitoring scope. | A Security Officer wants to monitor a file share, but it contains a folder with a huge amount of objects, so s/he does not want Auditor to collect state-in-time data for this folder. |
+| **User Activity** | Select to exclude actions performed by specific users on the selected file share. See the procedure below for details. **NOTE:** In this case, the product still collects stat-in-time data for this share. | A Security Officer wants to monitor a file share that contains a public folder for which s/he does not want to collect _Read_ operations. |
+
+**Follow the steps to exclude specific user activity.**
+
+**Step 1 –** Specify what user accounts should be excluded:
+
+- All Users — Select to exclude the activity of any user on the file share you specified.
+- These users— Select to exclude specific users' activity. Provide user names as shown in the
+ "_Who_" column in reports and Activity Summaries, e.g., _MyDomain\user1_. To enter multiple
+ accounts, use comma as a separator.
+
+**Step 2 –** Specify what actions should be excluded:
+
+- All actions — Exclude all actions of the selected users
+- These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_.
+
+
+
+**Step 3 –** After configuring all filters, click **Add** to save them and return to the item
+settings.
+
+### Working with DFS File Shares
+
+Netwrix Auditor supports auditing of DFS and clustered file servers if Object Access Auditing is
+enabled on DFS file shares or on every cluster node.
+
+- When adding a cluster file server for auditing, it is recommended to specify a server name of the
+ **Role** server or a UNC path of the shared folder located on the **Role** server.
+- When adding a DFS file share for auditing, specify a Windows file share item and provide the UNC
+ path of the whole namespace or UNC path of the DFS link (folder). For example:
+ - _"\\domain\dfsnamespace\"_ (domain-based namespace) or _"\\server\dfsnamespace\"_ (in case of
+ stand-alone namespace);
+ - _"\\domain\dfsnamespace\link"_ (domain-based namespace) or _"\\server\dfsnamespace\link"_ (in
+ case of stand-alone namespace).
+- For recommendations on configuring DFS replication, refer to
+ [this Knowledge Base article](https://www.netwrix.com/kb/2103).
+
+### Working with Mount Points
+
+You can specify a mount point as a monitored item. However, consider the following:
+
+- If a mount point represents a shared folder, then the objects in its root will be initially
+ collected by Netwrix Auditor and appear as processed by _System_ account. Wait for the next data
+ collections - then all actions for these objects will be monitored in a normal way.
+- To monitor the mount points targeted at the subfolder of a file share, provide network path to the
+ target subfolder.
+
+## AD Container
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General | |
+| Specify AD container | Specify a whole AD domain, OU or container. Click **Browse** to select from the list of containers in your network. You can also: - Select a particular computer type to be audited within the chosen AD container: **Domain controllers, Servers (excluding domain controllers)**, or **Workstations**. - Click **Exclude** to specify AD domains, OUs, and containers you do not want to audit. In the Exclude Containers dialog, click Add and specify an object. The list of containers does not include child domains of trusted domains. Use other options **(Computer, IP range** to specify the target computers. |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. If using a group Managed Service Account (gMSA), you can specify only the account name in the _domain\account$_ format. Password field can be empty. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information. Refer to the [Permissions for Active Directory Auditing](/docs/auditor/10.8/configuration/activedirectory/permissions.md) topic for more information on using Netwrix Privilege Secure as an account for data collection. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the[Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. |
+| Containers and Computers | |
+| Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. |
+| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. Depending on the type of the object you want to exclude, select one of the following: - Add AD Container – Browse for a container to be excluded from being audited. You can select a whole AD domain, OU or container. - Add Computer – Provide the name of the computer you want to exclude as shown in the "_Where_" column of reports and Activity Summaries. For example, _backupsrv01.mydomain.local_. Wildcards (\*) are not supported. In addition to the restrictions for a monitoring plan, you can use the \*.txt files to collect more granular audit data. Note that the new monitoring scope restrictions apply together with previous exclusion settings configured in the \*.txt files. See the [Monitoring Plans](/docs/auditor/10.8/admin/monitoringplans/overview.md)topic for additional information. |
+
+## IP Range
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General | |
+| Specify IP range | Specify an IP range for the audited computers. To exclude computers from within the specified range, click **Exclude**. Enter the IP subrange you want to exclude, and click **Add**. |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select **Custom account** and enter credentials. The credentials are case sensitive. A custom account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. |
+| Scope | |
+| Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. |
+
+## Computer
+
+For evaluation purposes, Netwrix recommends selecting Computer as an item for a monitoring plan.
+Once the product is configured to collect data from the specified items, audit settings (including
+Core and Compression services installation) will be applied to all computers within AD Container or
+IP Range.
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| General | |
+| Specify a computer | Provide a server name by entering its FQDN, NETBIOS or IPv4 address. You can click Browse to select a computer from the list of computers in your network. |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.8/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information. |
+| Scope | |
+| Monitor hidden shares | By default, Auditor will monitor all shares stored in the specified location, except for hidden shares (both default and user-defined). Select **Monitor user-defined hidden shares** if necessary. Even when this option is selected, the product will not collect data from administrative hidden shares such as: default system root or Windows directory (ADMIN$), default drive shares (D$, E$, etc.), shares used by printers to enable remote administration (PRINT$), etc. |
+| Specify monitoring restrictions | Specify restriction filters to narrow your monitoring scope (search results, reports and Activity Summaries). All filters are applied using AND logic. |
+
+### Configure Scope
+
+By default, both user activity and state-in-time data will be collected for the monitored item.
+However, you can narrow your monitoring scope by specifying certain locations, user accounts or
+actions to exclude .
+
+
+
+Click Add Exclusion, then follow the steps in the Specify Filters dialog:
+
+**Step 1 –** Provide the path to the file share where you are going to exclude some audit data. Use
+the path format as it appears in the "_What_" column of reports and Activity Summaries — for
+example, _\\corpsrv\shared_.
+
+You can use a wildcard (\*) only if you need to exclude user activity on this file share. For other
+data types (_state-in-time_ or _all data_) wildcards are not supported. This refers to the specified
+shared folder, its subfolders and files.
+
+**Step 2 –** Select what type of data you want to exclude:
+
+| Option | Description | Example |
+| ----------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| **All Data** | Select if you want to completely exclude the specified file share from being audited. The product will not collect any user activity or state-in-time data. In this case,Netwrix Auditor does not adjust audit settings automatically for the selected folders. | A Security Officer wants to monitor a file share but s/he does not have access to a certain folder on this share. Thus, s/he configures the product not to monitor this folder at all. |
+| State-in-Time | Select to configure Netwrix Auditor to exclude data for the state-in-time reports from the monitoring scope. | A Security Officer wants to monitor a file share, but it contains a folder with a huge amount of objects, so s/he does not want Netwrix Auditor to collect state-in-time data for this folder. |
+| **User Activity** | Select to exclude actions performed by specific users on the selected file share. See the procedure below for details. In this case, the product still collects stat-in-time data for this share. | A Security Officer wants to monitor a file share that contains a public folder for which s/he does not want to collect _Read_ operations. |
+
+Follow the steps to exclude specific user activity.
+
+**Step 1 –** Specify what user accounts should be excluded:
+
+- All Users — Select to exclude the activity of any user on the file share you specified.
+- These users — Select to exclude specific users' activity. Provide user names as shown in the
+ "_Who_" column in reports and Activity Summaries, e.g., _MyDomain\user1_. To enter multiple
+ accounts, use comma as a separator.
+
+**Step 2 –** Specify what actions should be excluded:
+
+- All actions — Exclude all actions of the selected users
+- These actions — Use the drop-down list to select the actions to exclude, e.g. _Added_ and _Moved_
+
+
+
+After configuring all filters, click **Add** to save them and return to the item settings.
+
+## Use Netwrix Privilege Secure as a Data Collecting Account
+
+Starting with version 10.7, you can use Netwrix Privilege Secure to manage the account for
+collecting data, after configuring the integration. See the
+[Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information about
+integration and supported data sources. In this case, the credentials will not be stored by Netwrix
+Auditor. Instead, they will be managed by Netwrix Privilege Secure and provided on demand, ensuring
+password rotation or using temporary accounts for data collection.
+
+Follow the steps to use Netwrix Privilege Secure as an account for data collection.
+
+**Step 1 –** Select the desired item.
+
+**Step 2 –** In the item configuration menu, select Netwrix Privilege Secure as an option for data
+collection.
+
+
+
+**Step 3 –** Select the type of the Access Policy you want to use in Netwrix Privilege Secure.
+Credential-based is the default option. Refer to the
+[Netwrix Privilege Secure](https://helpcenter.netwrix.com/category/privilegesecure_accessmanagement)
+documentation to learn more about Access Policies.
+
+In this case, you need to provide the username of the account managed by Netwrix Privilege Secure,
+and to which Netwrix Auditor has the access through a Credential-based access policy.
+
+**NOTE:** Netwrix recommends using different credentials for different monitoring plans and data
+sources.
+
+
+
+The second option is Resource-based. To use this option, you need to provide the Activity and
+Resource names, assigned to Netwrix Auditor in the corresponding Resource-based policy. Make sure
+that you specified the same names as in Netwrix Privilege Secure.
+
+The Resource name in this case is where the activity will be performed. For example, if you grant
+the data collecting account the access to a local Administrators group - the resource is the server
+where the permission will be granted.
+
+Netwrix Privilege Secure is ready to use as an account for data collection.
diff --git a/docs/auditor/10.8/admin/monitoringplans/finetune.md b/docs/auditor/10.8/admin/monitoringplans/finetune.md
new file mode 100644
index 0000000000..3fda03684b
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/finetune.md
@@ -0,0 +1,38 @@
+---
+title: "Fine-Tune Your Plan and Edit Settings"
+description: "Fine-Tune Your Plan and Edit Settings"
+sidebar_position: 210
+---
+
+# Fine-Tune Your Plan and Edit Settings
+
+At any time, you can review your plan settings and fine-tune Audit Database, notification and data
+collection settings.
+
+To modify most plan settings, you must be assigned the Global administrator role in the product or
+the Configurator role on the plan. The Global reviewer or this plan's Reviewer can modify Activity
+Summary recipients. See the [Role-Based Access and Delegation](/docs/auditor/10.8/admin/monitoringplans/delegation.md) topic for additional
+information.
+
+Follow the steps to edit your plan settings:
+
+**Step 1 –** Select a plan in the All Monitoring Plans list and click Edit.
+
+**Step 2 –** In the right pane, select Edit settings.
+
+**Step 3 –** In the Plan Settings page, review the tabs and modify the settings.
+
+| Option | Description |
+| -------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| General | |
+| Name Description | Update a plan name or its description. |
+| Data Collection | |
+| Specify the account for collecting data - Not specified - User/Password - gMSA | Specify a new user name and a password for the account that Auditor will use to collect data. Make sure the account has sufficient permissions to collect data. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information about the rights and permissions, and instructions on how to configure them. |
+| Audit Database | |
+| Disable security intelligence and make data available only in activity summaries | Keep this checkbox cleared if you want Auditor to write data to the Audit Database. |
+| Use default SQL Server settings | Select this checkbox to write data to a SQL Server instance with connection parameters as shown in **Settings** > **Audit Database**. See the [Audit Database](/docs/auditor/10.8/admin/settings/auditdatabase.md) topic for additional information. |
+| Specify custom connection parameters | Specify this option to use non-default settings (e.g., use a different authentication method or user). Make sure to store data on the same SQL Server instance. Otherwise some data may become unavailable for search and reporting. |
+| Notifications | |
+| Specify Activity Summary delivery schedule | Configure how often you want to receive an Activity Summary. By default, it is delivered once a day, at 3 AM. You can specify custom delivery time and frequency (e.g., every 6 hours starting 12 AM — at 12 AM, 6 AM, 12 PM, 6 PM). |
+| Customize notifications | By default, Activity Summary lists changes and activity in email body. For most data sources, if an Activity Summaries contains more than 1,000 activity records, these records are sent as a CSV attachment, bigger attachments are compressed in ZIP files. - Attach Activity Summary as a CSV file — You can configure Auditor to always send emails with attachments instead of listing activity and changes in email body. - Compress attachment before sending — You can configure Auditor to always compress attachments in a ZIP file, irrespective of its size and number of activity records. |
+| Specify the recipients who will receive daily activity summaries | Modify a list of users who will receive daily activity summaries. Click Add Recipient and provide email address. |
diff --git a/docs/auditor/10.8/admin/monitoringplans/grouppolicy/_category_.json b/docs/auditor/10.8/admin/monitoringplans/grouppolicy/_category_.json
new file mode 100644
index 0000000000..eaf7189e31
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/grouppolicy/_category_.json
@@ -0,0 +1,10 @@
+{
+ "label": "Group Policy",
+ "position": 100,
+ "collapsed": true,
+ "collapsible": true,
+ "link": {
+ "type": "doc",
+ "id": "overview"
+ }
+}
\ No newline at end of file
diff --git a/docs/auditor/10.8/admin/monitoringplans/grouppolicy/overview.md b/docs/auditor/10.8/admin/monitoringplans/grouppolicy/overview.md
new file mode 100644
index 0000000000..ecf833ea5e
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/grouppolicy/overview.md
@@ -0,0 +1,85 @@
+---
+title: "Group Policy"
+description: "Group Policy"
+sidebar_position: 100
+---
+
+# Group Policy
+
+**NOTE:** Prior to configuring your monitoring plan, please read and complete the instructions in
+the following topics:
+
+- [Protocols and Ports Required](/docs/auditor/10.8/requirements/ports.md) – To ensure successful data
+ collection and activity monitoring configure necessary protocols and ports for inbound and
+ outbound connections
+- [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) – Configure data collecting accounts as required to
+ audit your IT systems
+
+- [Group Policy](/docs/auditor/10.8/configuration/grouppolicy/overview.md) – Configure data source as required
+ to be monitored
+
+Complete the following fields:
+
+| Option | Description |
+| -------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| Monitor this data source and collect activity data | Enable monitoring of the selected data source and configure Auditor to collect and store audit data. |
+| Prerequisites | Netwrix Auditor will automatically look up additional system components and prompt you to install those that are missing. In case all required components have been already installed, this section will be omitted. See the [Other Components](/docs/auditor/10.8/requirements/software.md#other-components) topic for additional information. |
+| Detect additional details | Specify additional information to include in reports and activity summaries. Select Group membershipif you want to include Group membership of the account under which the change was made. |
+| Specify data collection method | You can enable **network traffic compression.** If enabled, a Compression Service will be automatically launched on the audited computer, collecting and prefiltering data. This significantly improves data transfer and minimizes the impact on the target computer performance. |
+| Configure audit settings | You can adjust audit settings automatically. Your current audit settings will be checked on each data collection and adjusted if necessary. This method is recommended for evaluation purposes in test environments. If any conflicts are detected with your current audit settings, automatic audit configuration will not be performed. Do not select the checkbox if you want to configure audit settings manually. See the [Group Policy](/docs/auditor/10.8/configuration/grouppolicy/overview.md) configuration topic for additional information about audit settings required to collect comprehensive audit data and the instructions on how to configure them. |
+
+Review your data source settings and click **Add** to go back to your plan. The newly created data
+source will appear in the **Data source** list. As a next step, click **Add item** to specify an
+object for monitoring. See the
+[Add Items for Monitoring](/docs/auditor/10.8/admin/monitoringplans/datasources.md#add-items-for-monitoring) topic for additional
+information.
+
+## Domain
+
+Complete the following fields:
+
+| Option | Description |
+| --------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| Specify Active Directory domain | Specify the audited domain name in the FQDN format. For example, "_company.local_". |
+| Specify the account for collecting data | Select the account that will be used to collect data for this item. If you want to use a specific account (other than the one you specified during monitoring plan creation), select account type you want to use and enter credentials. The following choices are available: - User/password. The account must be granted the same permissions and access rights as the default account used for data collection. See the [Data Collecting Account](/docs/auditor/10.8/admin/monitoringplans/dataaccounts.md) topic for additional information. - Group Managed Service Account (gMSA). You should specify only the account name in the domain\account$ format. See the [Use Group Managed Service Account (gMSA)](/docs/auditor/10.8/requirements/gmsa.md) topic for additional information. - Netwrix Privilege Secure. Starting with version 10.7, you can implement the integration between Netwrix Auditor and Netwrix Privilege Secure. See the [Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information. |
+
+## Use Netwrix Privilege Secure as a Data Collecting Account
+
+Starting with version 10.7, you can use Netwrix Privilege Secure to manage the account for
+collecting data, after configuring the integration. See the
+[Netwrix Privilege Secure](/docs/auditor/10.8/admin/settings/privilegesecure.md) topic for additional information about
+integration and supported data sources. In this case, the credentials will not be stored by Netwrix
+Auditor. Instead, they will be managed by Netwrix Privilege Secure and provided on demand, ensuring
+password rotation or using temporary accounts for data collection.
+
+Follow the steps to use Netwrix Privilege Secure as an account for data collection.
+
+**Step 1 –** Select the desired item.
+
+**Step 2 –** In the item configuration menu, select Netwrix Privilege Secure as an option for data
+collection.
+
+
+
+**Step 3 –** Select the type of the Access Policy you want to use in Netwrix Privilege Secure.
+Credential-based is the default option. Refer to the
+[Netwrix Privilege Secure](https://helpcenter.netwrix.com/category/privilegesecure_accessmanagement)
+documentation to learn more about Access Policies.
+
+In this case, you need to provide the username of the account managed by Netwrix Privilege Secure,
+and to which Netwrix Auditor has the access through a Credential-based access policy.
+
+**NOTE:** Netwrix recommends using different credentials for different monitoring plans and data
+sources.
+
+
+
+The second option is Resource-based. To use this option, you need to provide the Activity and
+Resource names, assigned to Netwrix Auditor in the corresponding Resource-based policy. Make sure
+that you specified the same names as in Netwrix Privilege Secure.
+
+The Resource name in this case is where the activity will be performed. For example, if you grant
+the data collecting account the access to a local Administrators group - the resource is the server
+where the permission will be granted.
+
+Netwrix Privilege Secure is ready to use as an account for data collection.
diff --git a/docs/auditor/10.8/admin/monitoringplans/grouppolicy/scope.md b/docs/auditor/10.8/admin/monitoringplans/grouppolicy/scope.md
new file mode 100644
index 0000000000..599368ba01
--- /dev/null
+++ b/docs/auditor/10.8/admin/monitoringplans/grouppolicy/scope.md
@@ -0,0 +1,28 @@
+---
+title: "Group Policy Monitoring Scope"
+description: "Group Policy Monitoring Scope"
+sidebar_position: 10
+---
+
+# Group Policy Monitoring Scope
+
+You can fine-tune Netwrix Auditor by specifying data that you want to exclude from the Group Policy
+monitoring scope. To do it, edit the omitobjlist_gp.txt, omitproplist_gp.txt and omituserlist_gp.txt
+files.
+
+Follow the steps to exclude data from the Group Policy monitoring scope:
+
+**Step 1 –** Navigate to the _%Netwrix Auditor installation folder%\Active Directory Auditing_
+folder.
+
+**Step 2 –** Edit the \*.txt files, based on the following guidelines:
+
+- Each entry must be a separate line.
+- A wildcard (\*) is supported. You can use \* for cmdlets and their parameters.
+- Lines that start with the # sign are treated as comments and are ignored.
+
+| File | Description | Syntax |
+| ------------------- | --------------------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------- |
+| omitobjlist_gp.txt | The file contains a list of the Group Policy Object (GPO) names to be excluded from change reports. | `