diff --git a/docs/threatmanager/3.0/administration/configuration/threatdetection/threatconfiguration.md b/docs/threatmanager/3.0/administration/configuration/threatdetection/threatconfiguration.md
index 7a8aaabcef..7cb0201c6f 100644
--- a/docs/threatmanager/3.0/administration/configuration/threatdetection/threatconfiguration.md
+++ b/docs/threatmanager/3.0/administration/configuration/threatdetection/threatconfiguration.md
@@ -20,7 +20,7 @@ The Processing tab contains the configuration options for processing the threat.
-General:
+**General:**
- Status – When set to ON, this threat will be detected by Threat Manager. When set to OFF, this
threat will not be detected by Threat Manager. When a threat status is **OFF**and then set to
@@ -45,7 +45,7 @@ General:
- Informational – Indicates first-time client use or first-time host use, which can be common
events but may also indicate a threat
-Threat Response:
+**Threat Response:**
Assigning a threat response designates a playbook to automatically be executed immediately when a
threat of this type is detected.
@@ -56,7 +56,7 @@ threat of this type is detected.
detected. Select Off to turn off forwarding threat information to a SIEM service.
- Run Playbook – Select the playbook that will be used to respond to the threat.
-Rollup:
+**Rollup:**
**NOTE:** Rollup is not available for all threat types.
diff --git a/docs/threatmanager/3.0/administration/investigations/auditcompliance.md b/docs/threatmanager/3.0/administration/investigations/auditcompliance.md
index d3d81c432e..1a6464b94d 100644
--- a/docs/threatmanager/3.0/administration/investigations/auditcompliance.md
+++ b/docs/threatmanager/3.0/administration/investigations/auditcompliance.md
@@ -27,19 +27,19 @@ Every report generated by an investigation query displays the same type of infor
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| -------------------------------------- | ------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| AD Changes | All Active Directory changes | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Change |
-| AD Changes by Domain Admins | All Active Directory changes by Domain Admins | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Change AND - Attribute 2 = Tag (Effective) - Operator 2 = Equals - Filter 2 = Domain Admin |
-| AD Logins | Active Directory logins including Kerberos and NTLM authentication | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Authentication |
-| All Events | New Investigation | No filters set |
-| Confirmed Compromised Account Activity | Occurs when a Confirmed Compromised Account is being active within an Entra ID tenant | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter 1 = Confirmed Compromised |
-| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Authentication AND - Attribute 2 = Success - Operator 2 = Equals - Filter 2 = false |
-| Failed Entra ID Logins | Occurs when an Entra ID login attempt has failed | Two filter statements set: - Attribute = Event Operation - Operator = Equals - Filter 1 = EntraID Sign-In And - Attribute = Success - Operator = Equals - Filter 2 = False |
-| LDAP Search | All LDAP search events | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = LDAP Search |
-| Privileged Account Activity | All activity by privileged accounts | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Privileged |
-| Risky User Activity | Occurs when a Risky User is being active within an Entra ID tenant | One filter statement set: Attribute = Tag (Direct) Operator = Equals Filter 1 = At Risk |
-| Service Account Activity | All activity by service accounts | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Service Account |
-| Watchlist User Activity | All activity by watchlist users | One filter statement set: - Attribute = Tag (Effective) - Operator = Equals - Filter = Watchlist |
-
-You can save additional investigations to this folder.
+| Investigation | Description | Filters |
+| --- | --- | --- |
+| AD Changes | All Active Directory changes | One filter statement set:
- Attribute = Event Operation
- Operator = Equals
- Filter = Active Directory Change
|
+| AD Changes by Domain Admins | All Active Directory changes by Domain Admin>s | Two filter statements set:
- Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Change
AND
- Attribute 2 = Tag (Effective)
- Operator 2 = Equals
- Filter 2 = Domain Admin
|
+| AD Logins | Active Directory logins including Kerberos and NTLM authentication | One filter statement set:
- Attribute = Event Operation
- Operator = Equals
- Filter = Active Directory Authentication
|
+| All Events | New Investigation | No filters set |
+| Confirmed Compromised Account Activity | Occurs when a Confirmed Compromised Account is being active within an Entra ID tenant | One filter statement set:
- Attribute = Tag (Direct)
- Operator = Equals
- Filter 1 = Confirmed Compromised
|
+| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set:
- Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Authentication
AND
- Attribute 2 = Success
- Operator 2 = Equals
- Filter 2 = false
|
+| Failed Entra ID Logins | Occurs when an Entra ID login attempt has failed | Two filter statements set:
- Attribute = Event Operation
- Operator = Equals
- Filter 1 = EntraID Sign-In
AND
- Attribute = Success
- Operator = Equals
- Filter 2 = False
|
+| LDAP Search | All LDAP search events | One filter statement set:
- Attribute = Event Operation
- Operator = Equals
- Filter = LDAP Search
|
+| Privileged Account Activity | All activity by privileged accounts | One filter statement set:
- Attribute = Tag (Direct)
- Operator = Equals
- Filter = Privileged
|
+| Risky User Activity | Occurs when a Risky User is being active within an Entra ID tenant | One filter statement set:
- Attribute = Tag (Direct)
- Operator = Equals
- Filter 1 = At Risk
|
+| Service Account Activity | All activity by service accounts | One filter statement set:
- Attribute = Tag (Direct)
- Operator = Equals
- Filter = Service Account
|
+| Watchlist User Activity | All activity by watchlist users | One filter statement set:
- Attribute = Tag (Effective)
- Operator = Equals
- Filter = Watchlist
|
+
+You can save additional investigations to this folder.
\ No newline at end of file
diff --git a/docs/threatmanager/3.0/administration/investigations/favorites.md b/docs/threatmanager/3.0/administration/investigations/favorites.md
index 3e5a014b58..237d29efc2 100644
--- a/docs/threatmanager/3.0/administration/investigations/favorites.md
+++ b/docs/threatmanager/3.0/administration/investigations/favorites.md
@@ -30,7 +30,7 @@ pane. Click the investigation there to open it.
There is an empty star icon beside the name of an investigation not identified as a favorite.
-
+
Click the star to add the investigation to your Favorites list.
@@ -38,6 +38,6 @@ Click the star to add the investigation to your Favorites list.
There is a yellow star icon beside the name of an investigation identified as a favorite.
-
+
Click the yellow star to remove the investigation from your Favorites list.
diff --git a/docs/threatmanager/3.0/administration/investigations/predefinedinvestigations.md b/docs/threatmanager/3.0/administration/investigations/predefinedinvestigations.md
index 7966101d4d..baf59298bf 100644
--- a/docs/threatmanager/3.0/administration/investigations/predefinedinvestigations.md
+++ b/docs/threatmanager/3.0/administration/investigations/predefinedinvestigations.md
@@ -33,23 +33,23 @@ as the Predefined Investigations page, scoped to the investigations within that
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| -------------------- | ---------------------------------------------- | ------------------------------------------------------------------------------------------------------------- |
-| Application Added | Occurs when an a Entra ID Application is added | One filter statement set: - Attribute = Event Sub-Operation - Operator = Equals - Filter = Add application |
-| Applications Deleted | Occurs when an a Entra ID Application is added | One filter statement set: - Attribute = Event Sub-Operation - Operator = Equals - Filter = Delete application |
-| Applications Deleted | Occurs when an a Entra ID Application is added | One filter statement set: - Attribute = Event Sub-Operation - Operator = Equals - Filter = Update application |
+| Investigation | Description | Filters |
+| --- | --- | --- |
+| Application Added | Occurs when an a Entra ID Application is added | One filter statement set:
- Attribute = Event Sub-Operation
- Operator = Equals
- Filter = Add application
|
+| Applications Deleted | Occurs when an a Entra ID Application is added | One filter statement set:
- Attribute = Event Sub-Operation
- Operator = Equals
- Filter = Delete application
|
+| Applications Deleted | Occurs when an a Entra ID Application is added | One filter statement set:
- Attribute = Event Sub-Operation
- Operator = Equals
- Filter = Update application
|
## Computers Folder
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| ------------------------- | ------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Computer Added | Created when a computer is added | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Create AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = computer |
-| Computer Deleted | Created when a computer is deleted | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Delete AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = computer |
-| Computer Disabled | Created when a computer is disabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Disabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = computer |
-| Computer Enabled | Created when a computer is enabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Enabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = computer |
-| Computer Password Changed | Created when a computer password is changed | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Password Changed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = computer |
+| Investigation | Description | Filters |
+| --- | --- | --- |
+| Computer Added | Created when a computer is added | Two filter statements set:
- Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Create
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = computer
|
+| Computer Deleted | Created when a computer is deleted | Two filter statements set:
- Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Delete
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = computer
|
+| Computer Disabled | Created when a computer is disabled | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Disabled
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = computer
|
+| Computer Enabled | Created when a computer is enabled | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Enabled
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = computer
|
+| Computer Password Changed | Created when a computer password is changed | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Password Changed
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = computer
|
You can save additional investigations to this folder.
@@ -57,13 +57,13 @@ You can save additional investigations to this folder.
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| -------------------- | ---------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Group Added | Occurs when a group of any type is created | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Create AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = group |
-| Group Deleted | Created when a group is removed / deleted | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Delete AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = group |
-| Group Member Added | Created when a member is added to a group | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Group Members Added AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = group |
-| Group Member Removed | Created when one or more members of a group are removed | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Group Members Removed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = group |
-| Group Moved | Occurs when a group is moved from one container to another | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Object Move AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = group |
+| Investigation | Description | Filters |
+| --- | --- | --- |
+| Group Added | Occurs when a group of any type is created | Two filter statements set:
- Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Create
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = group
|
+| Group Deleted | Created when a group is removed / deleted | Two filter statements set:
- Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Delete
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = group
|
+| Group Member Added | Created when a member is added to a group | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Group Members Added
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = group
|
+| Group Member Removed | Created when one or more members of a group are removed | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Group Members Removed
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = group
|
+| Group Moved | Occurs when a group is moved from one container to another | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Object Move
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = group
|
You can save additional investigations to this folder.
@@ -71,13 +71,13 @@ You can save additional investigations to this folder.
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| ----------------------------- | ----------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| iNetOrgPeson Account Disabled | Created when an iNetOrgPerson account is disabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Disabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = inetOrgPerson |
-| iNetOrgPeson Account Enabled | Created when an iNetOrgPerson account is enabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Enabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = inetOrgPerson |
-| iNetOrgPeson Added | Created when an iNetOrgPerson User account is added | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Create AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = inetOrgPerson |
-| iNetOrgPeson Deleted | Created when an iNetOrgPerson is deleted | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Delete AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = inetOrgPerson |
-| iNetOrgPeson Password Changed | Created when the password is reset or changed by an administrator | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Password Changed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = inetOrgPerson |
+| Investigation | Description | Filters |
+| --- | --- | --- |
+| iNetOrgPeson Account Disabled | Created when an iNetOrgPerson account is disabled | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Disabled
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = inetOrgPerson
|
+| iNetOrgPeson Account Enabled | Created when an iNetOrgPerson account is enabled | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Enabled
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = inetOrgPerson
|
+| iNetOrgPeson Added | Created when an iNetOrgPerson User account is added | Two filter statements set:
- Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Create
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = inetOrgPerson
|
+| iNetOrgPeson Deleted | Created when an iNetOrgPerson is deleted | Two filter statements set:
- Attribute 1 = Event Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Delete
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = inetOrgPerson
|
+| iNetOrgPeson Password Changed | Created when the password is reset or changed by an administrator | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Password Changed
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = inetOrgPerson
|
You can save additional investigations to this folder.
@@ -85,25 +85,25 @@ You can save additional investigations to this folder.
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| -------------------------------- | --------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------- |
-| Add Eligible Member to Role | Occurs when an Entra ID Member is made eligible to a Role | One filter statement set: - Attribute = Event Sub-Operation - Operator = Equals - Filter = Add eligible member to role |
-| Add Member to Role | Occurs when an Entra ID Member is added to a Role | One filter statement set: - Attribute = Event Sub-Operation - Operator = Equals - Filter = Add member to role |
-| Remove Eligible Member From Role | Occurs when an Entra ID Member is made not eligible to a Role anymore | One filter statement set: - Attribute = Event Sub-Operation - Operator = Equals - Filter = Remove eligible member from role |
-| Remove Memeber from Role | Occurs when an Entra ID Member is removed from a Role | One filter statement set: - Attribute = Event Sub-Operation - Operator = Equals - Filter = Remove member from role |
+| Investigation | Description | Filters |
+| --- | --- | --- |
+| Add Eligible Member to Role | Occurs when an Entra ID Member is made eligible to a Role | One filter statement set:
- Attribute = Event Sub-Operation
- Operator = Equals
- Filter = Add eligible member to role
|
+| Add Member to Role | Occurs when an Entra ID Member is added to a Role | One filter statement set:
- Attribute = Event Sub-Operation
- Operator = Equals
- Filter = Add member to role
|
+| Remove Eligible Member From Role | Occurs when an Entra ID Member is made not eligible to a Role anymore | One filter statement set:
- Attribute = Event Sub-Operation
- Operator = Equals
- Filter = Remove eligible member from role
|
+| Remove Memeber from Role | Occurs when an Entra ID Member is removed from a Role | One filter statement set:
- Attribute = Event Sub-Operation
- Operator = Equals
- Filter = Remove member from role
|
## Users Folder
By default, this folder contains the following saved investigations:
-| Investigation | Description | Filters |
-| ------------------------------ | ----------------------------------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| User Account Disabled | Created when a user account is disabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Disabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
-| User Account Enabled | Created when a user account is enabled | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Enabled AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
-| User Account Locked | Created when a user account is locked | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Locked AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
-| User Account Unlocked | Created when a user account is unlocked | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Account Unlocked AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
-| User Password Change | Created when a user performs a password reset | Three filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Active Directory Password Changed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user AND - Attribute 3 = Perpetrator - Operator 3 = Equals - Filter 3 = nt authority\anonymous logon |
-| User Password Reset and Change | Created when a user resets their password or when an administrator changes their password | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Password Changed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
-| User Primary Group Changed | Created when a user's group is changed typically from Domain Users to another group | Two filter statements set: - Attribute 1 = Event Sub-Operation - Operator 1 = Equals - Filter 1 = Primary Group Changed AND - Attribute 2 = Object Class - Operator 2 = Equals - Filter 2 = user |
+| Investigation | Description | Filters |
+| --- | --- | --- |
+| User Account Disabled | Created when a user account is disabled | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Disabled
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
+| User Account Enabled | Created when a user account is enabled | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Enabled
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
+| User Account Locked | Created when a user account is locked | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Locked
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
+| User Account Unlocked | Created when a user account is unlocked | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Account Unlocked
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
+| User Password Change | Created when a user performs a password reset | Three filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Active Directory Password Changed
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
AND
- Attribute 3 = Perpetrator
- Operator 3 = Equals
- Filter 3 = nt authority\anonymous logon
|
+| User Password Reset and Change | Created when a user resets their password or when an administrator changes their password | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Password
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
+| User Primary Group Changed | Created when a user's group is changed typically from Domain Users to another group | Two filter statements set:
- Attribute 1 = Event Sub-Operation
- Operator 1 = Equals
- Filter 1 = Primary Group Changed
AND
- Attribute 2 = Object Class
- Operator 2 = Equals
- Filter 2 = user
|
You can save additional investigations to this folder.
diff --git a/docs/threatmanager/3.0/administration/investigations/reports.md b/docs/threatmanager/3.0/administration/investigations/reports.md
index 844f0bcd6e..14dea6f9a1 100644
--- a/docs/threatmanager/3.0/administration/investigations/reports.md
+++ b/docs/threatmanager/3.0/administration/investigations/reports.md
@@ -95,7 +95,7 @@ The tab contains two tables:
- Top Perpetrators
- Top Targets
-Top Perpetrators Table
+**Top Perpetrators Table**
The Top Perpetrators table displays information about the perpetrators associated with the events.
@@ -107,7 +107,7 @@ It contains the following columns:
Click the link to view perpetrator details.
-Top Targets Table
+**Top Targets Table**
The Top Targets table displays information about targets associated with the events.
diff --git a/docs/threatmanager/3.0/install/integration/threatprevention/threatmanagerconfiguration.md b/docs/threatmanager/3.0/install/integration/threatprevention/threatmanagerconfiguration.md
index 405506232b..f5a604f61a 100644
--- a/docs/threatmanager/3.0/install/integration/threatprevention/threatmanagerconfiguration.md
+++ b/docs/threatmanager/3.0/install/integration/threatprevention/threatmanagerconfiguration.md
@@ -10,7 +10,7 @@ The Netwrix Threat Manager Configuration window is a global setting to enable in
Threat Prevention and Threat Manager. This window is only available to Threat Prevention
administrators.
-Threat Manager App Token
+**Threat Manager App Token**
The Threat Manager App Token authenticates connection between Threat Prevention and Threat Manager.
This token is generated in Threat Manager:
diff --git a/docs/threatmanager/3.0/install/overview.md b/docs/threatmanager/3.0/install/overview.md
index 195fbeed60..c31eee9323 100644
--- a/docs/threatmanager/3.0/install/overview.md
+++ b/docs/threatmanager/3.0/install/overview.md
@@ -15,18 +15,18 @@ The Threat Manager installer is packaged with four executable files.
**CAUTION:** The PostgreSQL database must be installed before installing Threat Manager.
-Netwrix_Setup.exe
+**Netwrix_Setup.exe**
This executable starts a setup launcher containing buttons to install the PostgreSQL database and
the application. The launcher installs these components on the same server. See the installation
details for each components below.
-NetwrixPostgreSQL14.exe
+**NetwrixPostgreSQL14.exe**
This executable is for installing the PostgreSQL database on a different server from the
application.
-NetwrixThreatManager.exe
+**NetwrixThreatManager.exe**
This executable is for installing the application and its services:
@@ -48,7 +48,7 @@ The following prerequisites will be installed if they are not present:
- VC++ redist v14.28.29914
- Python v3.10.8x64
-NetwrixThreatManager.ActionService.exe
+**NetwrixThreatManager.ActionService.exe**
This executable is for installing the Netwrix Threat Manager Action Service on additional servers.
diff --git a/docs/threatmanager/3.0/install/upgrade/upgrade.md b/docs/threatmanager/3.0/install/upgrade/upgrade.md
index 7cc6fa9c8c..8f068e1873 100644
--- a/docs/threatmanager/3.0/install/upgrade/upgrade.md
+++ b/docs/threatmanager/3.0/install/upgrade/upgrade.md
@@ -27,11 +27,11 @@ must be compatible.
Threat Manager, but it is recommended to upgrade it in order to take full advantage of the new
features.
-| Netwrix Activity Monitor Version | Compatibility with Threat Manager v3.0 |
-| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 7.1 | Fully compatible for monitoring of: - File System Data - Active Directory Data - Microsoft Entra ID Data Threat Manager also supports file copy event type and file size information. **NOTE:** SharePoint, SharePoint Online, Exchange Online, Linux, and SQL monitoring are not supported |
-| 7.0 | Fully compatible for monitoring of: - File System Data - Active Directory Data - Microsoft Entra ID Data Threat Manager also supports file copy event type and file size information. **NOTE:** SharePoint, SharePoint Online, Exchange Online, Linux, and SQL monitoring are not supported. |
-| 6.0 | Fully compatible for monitoring of: - File system Data - Active Directory Data Threat Manager also supports file copy event type and file size information. **NOTE:** SharePoint, SharePoint Online, Exchange Online, Microsoft Entra ID, Linux, and SQL monitoring are not supported |
+| Netwrix Activity Monitor Version | Compatibility with Threat Manager v3.0 |
+| --- | --- |
+| 7.1 | Fully compatible for monitoring of:
- File System Data
- Active Directory Data
- Microsoft Entra ID Data
Threat Manager also supports file copy event type and file size information.
**NOTE:** SharePoint, SharePoint Online, Exchange Online, Linux, and SQL monitoring are not supported |
+| 7.0 | Fully compatible for monitoring of:
- File System Data
- Active Directory Data
- Microsoft Entra ID Data
Threat Manager also supports file copy event type and file size information.
**NOTE:** SharePoint, SharePoint Online, Exchange Online, Linux, and SQL monitoring are not supported. |
+| 6.0 | Fully compatible for monitoring of:
- File system Data
- Active Directory Data
Threat Manager also supports file copy event type and file size information.
**NOTE:** SharePoint, SharePoint Online, Exchange Online, Microsoft Entra ID, Linux, and SQL monitoring are not supported |
## Threat Manager Services
diff --git a/docs/threatmanager/3.0/requirements/actionservice.md b/docs/threatmanager/3.0/requirements/actionservice.md
index afe0942a63..9d1b56142e 100644
--- a/docs/threatmanager/3.0/requirements/actionservice.md
+++ b/docs/threatmanager/3.0/requirements/actionservice.md
@@ -21,7 +21,7 @@ Additionally the server must meet these requirements:
- US English language installation
-RAM, CPU, and Disk Space
+**RAM, CPU, and Disk Space**
Minimum hardware requirements:
@@ -29,7 +29,7 @@ Minimum hardware requirements:
- 1 CPU Core
- 500 MB Total Disk Space
-Additional Server Requirements
+**Additional Server Requirements**
The following are additional requirements for the application server:
diff --git a/docs/threatmanager/3.0/requirements/database.md b/docs/threatmanager/3.0/requirements/database.md
index 95c443c7b2..d8eef6c74c 100644
--- a/docs/threatmanager/3.0/requirements/database.md
+++ b/docs/threatmanager/3.0/requirements/database.md
@@ -19,7 +19,7 @@ Additionally the server must meet these requirements:
- US English language installation
-Additional Server Requirements
+**Additional Server Requirements**
The following are additional requirements for the database server:
@@ -28,7 +28,7 @@ The following are additional requirements for the database server:
- ASP.NET Core 8.0.11
- VC++ redist v14.28.29914
-Additional Considerations
+**Additional Considerations**
The following considerations must be accommodated for:
diff --git a/docs/threatmanager/3.0/requirements/overview.md b/docs/threatmanager/3.0/requirements/overview.md
index 926aedd1a8..643ffded72 100644
--- a/docs/threatmanager/3.0/requirements/overview.md
+++ b/docs/threatmanager/3.0/requirements/overview.md
@@ -15,7 +15,7 @@ exceptions are covered.
The following servers are required for installation of the application:
-Core Component
+**Core Component**
- Threat Manager Database Server – This is where the Threat Manager PostgreSQL database is
installed.
@@ -34,7 +34,7 @@ See the following topics for server requirements:
- [Client Requirements](/docs/threatmanager/3.0/requirements/client.md)
- [Ports Requirements](/docs/threatmanager/3.0/requirements/ports.md)
-Target Environment Considerations
+**Target Environment Considerations**
The target environment encompasses all servers, devices, or infrastructure being monitored by
Netwrix Threat Prevention or Netwrix Activity Monitor in addition to data collected by Netwrix
diff --git a/docs/threatmanager/3.0/requirements/server.md b/docs/threatmanager/3.0/requirements/server.md
index a582646aba..cdf13e3163 100644
--- a/docs/threatmanager/3.0/requirements/server.md
+++ b/docs/threatmanager/3.0/requirements/server.md
@@ -20,7 +20,7 @@ Additionally the server must meet these requirements:
- US English language installation
-RAM, CPU, and Disk Space
+**RAM, CPU, and Disk Space**
These are dependent upon the total number of daily events sent to Threat Manager. It is suggested to
use the total events for a peak day of the week, by activity.
@@ -60,7 +60,7 @@ Minimum hardware requirements:
- 150 GB Disk Space
-Additional Server Requirements
+**Additional Server Requirements**
The following are additional requirements for the application server:
@@ -70,7 +70,7 @@ The following are additional requirements for the application server:
- VC++ redist v14.28.29914
- Python v3.10.8x64
-Additional Considerations when Database is on the Application Server
+**Additional Considerations when Database is on the Application Server**
The following considerations must be accommodated for:
@@ -81,7 +81,7 @@ The following considerations must be accommodated for:
- Disk Defragmentation jobs should never be performed on the drive containing Threat Manager
PostgreSQL database. This can cause operational issues with the PostgreSQL database.
-Permissions for Installation and Application Use
+**Permissions for Installation and Application Use**
The following permissions are required to install and use the application:
diff --git a/docs/threatmanager/3.0/threats/activedirectory.md b/docs/threatmanager/3.0/threats/activedirectory.md
index 61f2c19a62..182a4846aa 100644
--- a/docs/threatmanager/3.0/threats/activedirectory.md
+++ b/docs/threatmanager/3.0/threats/activedirectory.md
@@ -6,31 +6,23 @@ sidebar_position: 10
# Active Directory Threats
-The following threats are monitored for Active Directory:
+The following threats are monitored for Active Directory. definition of each threat is given below.
## AdminSDHolder ACL Tampering
-| AdminSDHolder ACL Tampering | |
-| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker's permission on a protected object the AdminSDHolder controls. |
+ Modifying the Access Control List (ACL) of the AdminSDHolder container in Active Directory enables an attacker to achieve and maintain persistence in an already compromised domain, even if an administrator finds and removes the attacker's permission on a protected object the AdminSDHolder controls.
## AS-REP Roasted Users
-| AS-REP Roasted Users | |
-| -------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Definition** | AS-REP roasting is a technique that allows retrieving password hashes for users that have 'Do not require Kerberos pre-authentication' property selected. Those hashes can then be cracked offline. |
+ AS-REP roasting is a technique that allows retrieving password hashes for users that have 'Do not require Kerberos pre-authentication' property selected. Those hashes can then be cracked offline.
## DCShadow
-| DCShadow | |
-| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | DCShadow is a feature of Mimikatz and a technique for elevating a regular workstation account to a domain controller and executing malicious replication against the domain. DCShadow can set arbitrary attributes within Active Directory. |
+ DCShadow is a feature of Mimikatz and a technique for elevating a regular workstation account to a domain controller and executing malicious replication against the domain. DCShadow can set arbitrary attributes within Active Directory.
## DC Sync
-| DC Sync | |
-| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Definition | Replication from a non-domain controller account can be evidence of a Mimikatz DCSync attack. Performing a DCSync remotely extracts the NTLM password hash for the account that is the target of the attack. |
+ Replication from a non-domain controller account can be evidence of a Mimikatz DCSync attack. Performing a DCSync remotely extracts the NTLM password hash for the account that is the target of the attack.
**NOTE:** The domain monitoring policy must be configured to exclude domain controllers. See the
[Integration with Other Netwrix Products](/docs/threatmanager/3.0/install/integration/overview.md) topic for additional
@@ -38,121 +30,86 @@ information.
## Domain Backup Key Compromise
-| Domain Backup Key Compromise | |
-| ---------------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | The Data Protection API (DPAPI) is used by Windows to encrypt user secrets such as saved credentials, browser cookies, website passwords, and other sensitive information. For computers joined to an Active Directory domain, secrets protected by the DPAPI are also encrypted with a domain backup key. This key is stored in Active Directory and enables recovery of DPAPI-protected secrets should the user lose their own backup key. Because the domain backup key cannot be rotated, its exposure is a significant event. |
+The Data Protection API (DPAPI) is used by Windows to encrypt user secrets such as saved credentials, browser cookies, website passwords, and other sensitive information. For computers joined to an Active Directory domain, secrets protected by the DPAPI are also encrypted with a domain backup key. This key is stored in Active Directory and enables recovery of DPAPI-protected secrets should the user lose their own backup key. Because the domain backup key cannot be rotated, its exposure is a significant event.
## Exposed Administrative Credentials
-| Exposed Administrative Credentials | |
-| ---------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Highly privileged accounts, groups, and systems have direct or indirect administrative control over the Active Directory forest/domain. Given the sensitive nature of these accounts, they should only be used on domain controllers. Pass-the-Hash attacks are successful because highly privileged credentials are used to access lower security systems. Having access to a privileged user's hash allows attackers to move laterally. This threat aligns to best practices for securing Active Directory. If an organization does not enforce limiting privileged account access to only Domain Controllers, this threat should remain disabled to eliminate noise. |
+Highly privileged accounts, groups, and systems have direct or indirect administrative control over the Active Directory forest/domain. Given the sensitive nature of these accounts, they should only be used on domain controllers. Pass-the-Hash attacks are successful because highly privileged credentials are used to access lower security systems. Having access to a privileged user's hash allows attackers to move laterally.
+
+This threat aligns to best practices for securing Active Directory. If an organization does not enforce limiting privileged account access to only Domain Controllers, this threat should remain disabled to eliminate noise.
## Golden Ticket
-| Golden Ticket | |
-| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | By obtaining the password hash for the most powerful service account in Active Directory, the KRBTGT account, an attacker is able to compromise every account within Active Directory, giving them unlimited and virtually undetectable access to any system connected to Active Directory. |
+By obtaining the password hash for the most powerful service account in Active Directory, the KRBTGT account, an attacker is able to compromise every account within Active Directory, giving them unlimited and virtually undetectable access to any system connected to Active Directory.
## Forged Ticket
-| Forged Ticket | |
-| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Forged Tickets provide a way for an attacker to elevate privileges by injecting additional group membership into their Kerberos tickets, giving them more privileges than they actually have in Active Directory. Threat Manager will compare PAC data in authentication to the user's actual group member and generate a threat when it finds a discrepancy. |
-| Trigger | Perform Authentication using fabricated/invalid tickets with groups present in the authentication Ticket PAC data that does not match the users Active Directory group membership. |
+Definition: Forged Tickets provide a way for an attacker to elevate privileges by injecting additional group membership into their Kerberos tickets, giving them more privileges than they actually have in Active Directory. Threat Manager will compare PAC data in authentication to the user's actual group member and generate a threat when it finds a discrepancy.
+
+Trigger: Perform Authentication using fabricated/invalid tickets with groups present in the authentication Ticket PAC data that does not match the users Active Directory group membership.
## GMSA Password Access
-| GMSA Password Access | |
-| -------------------- | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | The passwords for Group Managed Service Accounts (GMSA) are stored in BLOB format in the msDS-ManagedPassword attribute of the GMSA account object in Active Directory. It is trivial to convert the BLOB to a useable clear text password. It is suspicious for a user to attempt to read this attribute, as only authorized computer accounts should retrieve a GMSA’s password. |
+The passwords for Group Managed Service Accounts (GMSA) are stored in BLOB format in the msDS-ManagedPassword attribute of the GMSA account object in Active Directory. It is trivial to convert the BLOB to a useable clear text password. It is suspicious for a user to attempt to read this attribute, as only authorized computer accounts should retrieve a GMSA’s password.
## GMSA Permissions Assignment
-| GMSA Permissions Assignment | |
-| --------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Permissions to retrieve passwords for Group Managed Service Accounts (GMSA) are typically granted only to the computer account of each computer running the service. The assignment of privileges to non-computer accounts (e.g. human accounts) can be indicative of an adversary's attempt to compromise the GMSA password. |
+Permissions to retrieve passwords for Group Managed Service Accounts (GMSA) are typically granted only to the computer account of each computer running the service. The assignment of privileges to non-computer accounts (e.g. human accounts) can be indicative of an adversary's attempt to compromise the GMSA password.
## Hidden Object
-| Hidden Object | |
-| ------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Changing object Deny Read or Deny List Contents permissions can effectively hide an Active Directory object as it will not be returned in LDAP queries. This causes the object to avoid monitoring and detection, as service accounts used by these solutions will be unable to query the object. |
+Changing object Deny Read or Deny List Contents permissions can effectively hide an Active Directory object as it will not be returned in LDAP queries. This causes the object to avoid monitoring and detection, as service accounts used by these solutions will be unable to query the object.
## Honeytoken
-| Honeytoken | |
-| ---------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Definition | Honeytokens are fake credentials stored in memory. When an attack scans memory they may try to authenticate or query the domain for information about the account. A Honeytoken threat can be generated by two methods: LDAP or Authentication. An authentication Honeytoken threat is generated when a perpetrator attempts to authenticate with a Honeytoken user account. An LDAP Honeytoken threat is generated when a perpetrator performs an LDAP query against a Honeytoken user account. |
+Honeytokens are fake credentials stored in memory. When an attack scans memory they may try to authenticate or query the domain for information about the account. A Honeytoken threat can be generated by two methods: LDAP or Authentication. An authentication Honeytoken threat is generated when a perpetrator attempts to authenticate with a Honeytoken user account. An LDAP Honeytoken threat is generated when a perpetrator performs an LDAP query against a Honeytoken user account.
## Insecure UAC Change
-| Insecure UAC Change | |
-| ------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Some changes to User Account Control Flags on Active Directory Objects can potentially expose security risks."PASSWD_CANT_CHANGE", "TRUSTED_FOR_DELEGATION", "USE_DES_KEY_ONLY", and "DONT_REQ_PREAUTH" are particularly risky. |
+Some changes to User Account Control Flags on Active Directory Objects can potentially expose security risks."PASSWD_CANT_CHANGE", "TRUSTED_FOR_DELEGATION", "USE_DES_KEY_ONLY", and "DONT_REQ_PREAUTH" are particularly risky.
## Kerberoasting
-| Kerberoasting | |
-| ------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection. |
+Kerberoasting is an attack method that allows an attacker to crack the passwords of service accounts in Active Directory offline and without fear of detection.
## LDAP Reconnaissance
-| LDAP Reconnaissance | |
-| ------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | When an attacker initially compromises a system on a network, they will have few to no privileges within the domain. However, due to the architecture of Active Directory, once an attacker has infiltrated any domain-joined computer, they are able to query the directory and its objects using LDAP, allowing them to locate sensitive accounts and assets to target in their attack. |
+When an attacker initially compromises a system on a network, they will have few to no privileges within the domain. However, due to the architecture of Active Directory, once an attacker has infiltrated any domain-joined computer, they are able to query the directory and its objects using LDAP, allowing them to locate sensitive accounts and assets to target in their attack.
## LSASS Process Injection
-| LSASS Process Injection | |
-| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | LSASS process injection is a deliberate and common method used by a variety of attacks including: Skeleton Key, MemSSP, and SID History Tampering. By injecting code into the lsass.exe process an attacker can scrape the password hashes directly out of process memory. |
+LSASS process injection is a deliberate and common method used by a variety of attacks including: Skeleton Key, MemSSP, and SID History Tampering. By injecting code into the lsass.exe process an attacker can scrape the password hashes directly out of process memory.
## Pass-The-Ticket
-| Pass-The-Ticket | |
-| --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Definition | A Pass-the-Ticket event occurs when a user extracts a valid Kerberos ticket from one system and uses it to authenticate from another system. This allows the attacker to compromise a user's account and use it from any domain-joined computer. |
+A Pass-the-Ticket event occurs when a user extracts a valid Kerberos ticket from one system and uses it to authenticate from another system. This allows the attacker to compromise a user's account and use it from any domain-joined computer.
## Password Spraying
-| Password Spraying | |
-| ----------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
-| Definition | Password Spraying indicates an attempt to gain access to credentials by using common passwords against large numbers of accounts while also staying below an organization’s defined lockout threshold. |
+Password Spraying indicates an attempt to gain access to credentials by using common passwords against large numbers of accounts while also staying below an organization’s defined lockout threshold.
## Replication Permissions
-| Replication Permissions | |
-| ----------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Providing a user with replication permissions allows the user to execute domain replication commands against domain controllers. This type of behavior is common with DCSync and DCShadow threats. |
+Providing a user with replication permissions allows the user to execute domain replication commands against domain controllers. This type of behavior is common with DCSync and DCShadow threats.
## Sensitive Group Changes
-| Sensitive Group Changes | |
-| ----------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Sensitive Group Changes indicate that the membership of a group containing extremely sensitive permissions has been modified. This includes any Active Directory group with the Sensitive tag in Threat Manager, which includes many standard Active Directory Groups such as: Domain Admins, Enterprise Admins, and Schema Admins. |
+Sensitive Group Changes indicate that the membership of a group containing extremely sensitive permissions has been modified. This includes any Active Directory group with the Sensitive tag in Threat Manager, which includes many standard Active Directory Groups such as: Domain Admins, Enterprise Admins, and Schema Admins.
## Service Account Misuse
-| Service Account Misuse | |
-| ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Indicates that a service account was used to log into a machine that is not listed in their service principal names attribute. This threat aligns to best practices for securing Active Directory. If an organization does not enforce service accounts to only authenticate to hosts within their servicePrincipalName values, this threat should remain disabled to eliminate noise. |
+Indicates that a service account was used to log into a machine that is not listed in their service principal names attribute.
+
+This threat aligns to best practices for securing Active Directory. If an organization does not enforce service accounts to only authenticate to hosts within their servicePrincipalName values, this threat should remain disabled to eliminate noise.
## SID History Tampering
-| SID History Tampering | |
-| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | Mimikatz or other tools can be used to inject SID History into user accounts. This allows an account to effectively be given permissions, such as Domain Admin, even though it is not actually a member of Domain Admins. |
+Mimikatz or other tools can be used to inject SID History into user accounts. This allows an account to effectively be given permissions, such as Domain Admin, even though it is not actually a member of Domain Admins.
## SPN Assigned to Privileged User
-| SPN Assigned to Privileged User | |
-| ------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| **Definition** | An account is only vulnerable to Kerberoasting attacks if it has a service principal name. Service accounts should not have more privileges than required to perform their function. Visit [Netwrix Attack Catalog](https://www.netwrix.com/attack.html) to learn more about this threat. |
+An account is only vulnerable to Kerberoasting attacks if it has a service principal name. Service accounts should not have more privileges than required to perform their function. Visit [Netwrix Attack Catalog](https://www.netwrix.com/attack.html) to learn more about this threat.
## Zerologon Exploitation
-| Zerologon Exploitation | |
-| ---------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Definition | CVE-2020-1472 (a.k.a. "Zerologon") is an elevation of privilege vulnerability that allows an unauthenticated attacker to escalate their privileges to domain administrator by exploiting a flaw in the Netlogon Remote Protocol (MS-NRPC). To exploit this vulnerability, an attacker requires only the ability to communicate over the MS-NRPC protocol to a domain controller. |
+CVE-2020-1472 (a.k.a. "Zerologon") is an elevation of privilege vulnerability that allows an unauthenticated attacker to escalate their privileges to domain administrator by exploiting a flaw in the Netlogon Remote Protocol (MS-NRPC). To exploit this vulnerability, an attacker requires only the ability to communicate over the MS-NRPC protocol to a domain controller.
diff --git a/static/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteSelected.webp b/static/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteSelected.webp
new file mode 100644
index 0000000000..54c332a0f2
Binary files /dev/null and b/static/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteSelected.webp differ
diff --git a/static/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteUnselectedTM.webp b/static/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteUnselectedTM.webp
new file mode 100644
index 0000000000..97d51f939c
Binary files /dev/null and b/static/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteUnselectedTM.webp differ