Reviewing tables in NTM 3.0. Left with tables on the Predefined Investigation page

farzanajafar · farzanajafar · commit c0bce0d23a02 · 2025-07-12T02:19:11.000+05:00
diff --git a/docs/threatmanager/3.0/administration/configuration/threatdetection/threatconfiguration.md b/docs/threatmanager/3.0/administration/configuration/threatdetection/threatconfiguration.md
@@ -20,7 +20,7 @@ The Processing tab contains the configuration options for processing the threat.
 
 ![This screenshot displays the Processing tab.](/img/product_docs/threatmanager/3.0/administration/configuration/processingtab.webp)
 
-General:
+**General:**
 
 - Status – When set to ON, this threat will be detected by Threat Manager. When set to OFF, this
   threat will not be detected by Threat Manager. When a threat status is **OFF**and then set to
@@ -45,7 +45,7 @@ General:
     - Informational – Indicates first-time client use or first-time host use, which can be common
       events but may also indicate a threat
 
-Threat Response:
+**Threat Response:**
 
 Assigning a threat response designates a playbook to automatically be executed immediately when a
 threat of this type is detected.
@@ -56,7 +56,7 @@ threat of this type is detected.
   detected. Select Off to turn off forwarding threat information to a SIEM service.
 - Run Playbook – Select the playbook that will be used to respond to the threat.
 
-Rollup:
+**Rollup:**
 
 **NOTE:** Rollup is not available for all threat types.
 
diff --git a/docs/threatmanager/3.0/administration/investigations/auditcompliance.md b/docs/threatmanager/3.0/administration/investigations/auditcompliance.md
@@ -27,19 +27,19 @@ Every report generated by an investigation query displays the same type of infor
 
 By default, this folder contains the following saved investigations:
 
-| Investigation                          | Description                                                                           | Filters                                                                                                                                                                                                   |
-| -------------------------------------- | ------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| AD Changes                             | All Active Directory changes                                                          | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Change                                                                                            |
-| AD Changes by Domain Admins            | All Active Directory changes by Domain Admins                                         | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Change AND - Attribute 2 = Tag (Effective) - Operator 2 = Equals - Filter 2 = Domain Admin |
-| AD Logins                              | Active Directory logins including Kerberos and NTLM authentication                    | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Authentication                                                                                    |
-| All Events                             | New Investigation                                                                     | No filters set                                                                                                                                                                                            |
-| Confirmed Compromised Account Activity | Occurs when a Confirmed Compromised Account is being active within an Entra ID tenant | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter 1 = Confirmed Compromised                                                                                               |
-| Failed AD Logins                       | All failed Active Directory logins including Kerberos and NTLM authentication         | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Authentication AND - Attribute 2 = Success - Operator 2 = Equals - Filter 2 = false        |
-| Failed Entra ID Logins                 | Occurs when an Entra ID login attempt has failed                                      | Two filter statements set: - Attribute = Event Operation - Operator = Equals - Filter 1 = EntraID Sign-In And - Attribute = Success - Operator = Equals - Filter 2 = False                                |
-| LDAP Search                            | All LDAP search events                                                                | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = LDAP Search                                                                                                        |
-| Privileged Account Activity            | All activity by privileged accounts                                                   | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Privileged                                                                                                            |
-| Risky User Activity                    | Occurs when a Risky User is being active within an Entra ID tenant                    | One filter statement set: Attribute = Tag (Direct) Operator = Equals Filter 1 = At Risk                                                                                                                   |
-| Service Account Activity               | All activity by service accounts                                                      | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Service Account                                                                                                       |
-| Watchlist User Activity                | All activity by watchlist users                                                       | One filter statement set: - Attribute = Tag (Effective) - Operator = Equals - Filter = Watchlist                                                                                                          |
+| Investigation | Description | Filters |
+| --- | --- | --- |
+| AD Changes | All Active Directory changes | One filter statement set: <br /><ul><li>Attribute = Event Operation</li><li>Operator = Equals</li><li>Filter = Active Directory Change</li></ul> |
+| AD Changes by Domain Admins | All Active Directory changes by Domain Admin>s | Two filter statements set: <br /><ul><li> Attribute 1 = Event Operation</li><li>Operator 1 = Equals</li><li>Filter 1 = Active Directory Change <br />AND <br /></li><li>Attribute 2 = Tag (Effective)</li><li>Operator 2 = Equals</li><li>Filter 2 = Domain Admin</li></ul> |
+| AD Logins | Active Directory logins including Kerberos and NTLM authentication | One filter statement set: <br /><ul><li> Attribute = Event Operation</li><li>Operator = Equals</li><li>Filter = Active Directory Authentication</li></ul> |
+| All Events | New Investigation | No filters set |
+| Confirmed Compromised Account Activity | Occurs when a Confirmed Compromised Account is being active within an Entra ID tenant | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter 1 = Confirmed Compromised</li></ul> |
+| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set: <br /><ul><li>Attribute 1 = Event Operation</li><li>Operator 1 = Equals</li><li>Filter 1 = Active Directory Authentication <br />AND <br /></li><li>Attribute 2 = Success</li><li>Operator 2 = Equals</li><li>Filter 2 = false</li></ul> |
+| Failed Entra ID Logins | Occurs when an Entra ID login attempt has failed | Two filter statements set: <br /><ul><li>Attribute = Event Operation</li><li>Operator = Equals</li><li>Filter 1 = EntraID Sign-In <br />And <br /></li><li> Attribute = Success</li><li>Operator = Equals</li><li>Filter 2 = False</li></ul> |
+| LDAP Search | All LDAP search events | One filter statement set: <br /><ul><li>Attribute = Event Operation</li><li> Operator = Equals</li><li>Filter = LDAP Search</li></ul> |
+| Privileged Account Activity | All activity by privileged accounts | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter = Privileged</li></ul> |
+| Risky User Activity  | Occurs when a Risky User is being active within an Entra ID tenant | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter 1 = At Risk</li></ul> |
+| Service Account Activity | All activity by service accounts | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter = Service Account</li></ul> |
+| Watchlist User Activity | All activity by watchlist users | One filter statement set: <br /><ul><li>Attribute = Tag (Effective)</li><li>Operator = Equals</li><li>Filter = Watchlist</li></ul> |
 
 You can save additional investigations to this folder.
diff --git a/docs/threatmanager/3.0/administration/investigations/favorites.md b/docs/threatmanager/3.0/administration/investigations/favorites.md
@@ -30,14 +30,14 @@ pane. Click the investigation there to open it.
 
 There is an empty star icon beside the name of an investigation not identified as a favorite.
 
-![Empty star showing that investigation is not a favorite](/img/product_docs/threatprevention/7.5/reportingmodule/investigations/favoriteselectedtm.webp)
+![Empty star showing that investigation is not a favorite](/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteUnselectedTM.webp)
 
 Click the star to add the investigation to your Favorites list.
 
 ## Remove an Investigation from Your Favorites
 
 There is a yellow star icon beside the name of an investigation identified as a favorite.
 
-![Favorite investigation star icon selected](/img/product_docs/threatprevention/7.5/reportingmodule/investigations/favoriteselectedtm.webp)
+![Favorite investigation star icon selected](/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteSelected.webp)
 
 Click the yellow star to remove the investigation from your Favorites list.
diff --git a/docs/threatmanager/3.0/administration/investigations/reports.md b/docs/threatmanager/3.0/administration/investigations/reports.md
@@ -95,7 +95,7 @@ The tab contains two tables:
 - Top Perpetrators
 - Top Targets
 
-Top Perpetrators Table
+**Top Perpetrators Table**
 
 The Top Perpetrators table displays information about the perpetrators associated with the events.
 
@@ -107,7 +107,7 @@ It contains the following columns:
 
 Click the link to view perpetrator details.
 
-Top Targets Table
+**Top Targets Table**
 
 The Top Targets table displays information about targets associated with the events.
 
diff --git a/docs/threatmanager/3.0/install/integration/threatprevention/threatmanagerconfiguration.md b/docs/threatmanager/3.0/install/integration/threatprevention/threatmanagerconfiguration.md
@@ -10,7 +10,7 @@ The Netwrix Threat Manager Configuration window is a global setting to enable in
 Threat Prevention and Threat Manager. This window is only available to Threat Prevention
 administrators.
 
-Threat Manager App Token
+**Threat Manager App Token**
 
 The Threat Manager App Token authenticates connection between Threat Prevention and Threat Manager.
 This token is generated in Threat Manager:
diff --git a/docs/threatmanager/3.0/install/overview.md b/docs/threatmanager/3.0/install/overview.md
@@ -15,18 +15,18 @@ The Threat Manager installer is packaged with four executable files.
 
 **CAUTION:** The PostgreSQL database must be installed before installing Threat Manager.
 
-Netwrix_Setup.exe
+**Netwrix_Setup.exe**
 
 This executable starts a setup launcher containing buttons to install the PostgreSQL database and
 the application. The launcher installs these components on the same server. See the installation
 details for each components below.
 
-NetwrixPostgreSQL14.exe
+**NetwrixPostgreSQL14.exe**
 
 This executable is for installing the PostgreSQL database on a different server from the
 application.
 
-NetwrixThreatManager.exe
+**NetwrixThreatManager.exe**
 
 This executable is for installing the application and its services:
 
@@ -48,7 +48,7 @@ The following prerequisites will be installed if they are not present:
 - VC++ redist v14.28.29914
 - Python v3.10.8x64
 
-NetwrixThreatManager.ActionService.exe
+**NetwrixThreatManager.ActionService.exe**
 
 This executable is for installing the Netwrix Threat Manager Action Service on additional servers.
 
diff --git a/docs/threatmanager/3.0/install/upgrade/upgrade.md b/docs/threatmanager/3.0/install/upgrade/upgrade.md
@@ -27,11 +27,11 @@ must be compatible.
 Threat Manager, but it is recommended to upgrade it in order to take full advantage of the new
 features.
 
-| Netwrix Activity Monitor Version | Compatibility with Threat Manager v3.0                                                                                                                                                                                                                                                       |
-| -------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| 7.1                              | Fully compatible for monitoring of: - File System Data - Active Directory Data - Microsoft Entra ID Data Threat Manager also supports file copy event type and file size information. **NOTE:** SharePoint, SharePoint Online, Exchange Online, Linux, and SQL monitoring are not supported  |
-| 7.0                              | Fully compatible for monitoring of: - File System Data - Active Directory Data - Microsoft Entra ID Data Threat Manager also supports file copy event type and file size information. **NOTE:** SharePoint, SharePoint Online, Exchange Online, Linux, and SQL monitoring are not supported. |
-| 6.0                              | Fully compatible for monitoring of: - File system Data - Active Directory Data Threat Manager also supports file copy event type and file size information. **NOTE:** SharePoint, SharePoint Online, Exchange Online, Microsoft Entra ID, Linux, and SQL monitoring are not supported        |
+| Netwrix Activity Monitor Version | Compatibility with Threat Manager v3.0  |
+| --- | --- |
+| 7.1 | Fully compatible for monitoring of: <br /><ul><li>File System Data</li><li>Active Directory Data</li><li>Microsoft Entra ID Data</li></ul> Threat Manager also supports file copy event type and file size information. <br />**NOTE:** SharePoint, SharePoint Online, Exchange Online, Linux, and SQL monitoring are not supported  |
+| 7.0 | Fully compatible for monitoring of: <br /><ul><li>File System Data</li><li>Active Directory Data</li><li>Microsoft Entra ID Data</li></ul> Threat Manager also supports file copy event type and file size information. <br />**NOTE:** SharePoint, SharePoint Online, Exchange Online, Linux, and SQL monitoring are not supported. |
+| 6.0 | Fully compatible for monitoring of: <br /><ul><li>File system Data</li><li>Active Directory Data</li></ul> Threat Manager also supports file copy event type and file size information. <br />**NOTE:** SharePoint, SharePoint Online, Exchange Online, Microsoft Entra ID, Linux, and SQL monitoring are not supported |
 
 ## Threat Manager Services
 
diff --git a/docs/threatmanager/3.0/requirements/actionservice.md b/docs/threatmanager/3.0/requirements/actionservice.md
@@ -21,15 +21,15 @@ Additionally the server must meet these requirements:
 
 - US English language installation
 
-RAM, CPU, and Disk Space
+**RAM, CPU, and Disk Space**
 
 Minimum hardware requirements:
 
 - 4 GB RAM
 - 1 CPU Core
 - 500 MB Total Disk Space
 
-Additional Server Requirements
+**Additional Server Requirements**
 
 The following are additional requirements for the application server:
 
diff --git a/docs/threatmanager/3.0/requirements/database.md b/docs/threatmanager/3.0/requirements/database.md
@@ -19,7 +19,7 @@ Additionally the server must meet these requirements:
 
 - US English language installation
 
-Additional Server Requirements
+**Additional Server Requirements**
 
 The following are additional requirements for the database server:
 
@@ -28,7 +28,7 @@ The following are additional requirements for the database server:
 - ASP.NET Core 8.0.11
 - VC++ redist v14.28.29914
 
-Additional Considerations
+**Additional Considerations**
 
 The following considerations must be accommodated for:
 
diff --git a/docs/threatmanager/3.0/requirements/overview.md b/docs/threatmanager/3.0/requirements/overview.md
@@ -15,7 +15,7 @@ exceptions are covered.
 
 The following servers are required for installation of the application:
 
-Core Component
+**Core Component**
 
 - Threat Manager Database Server – This is where the Threat Manager PostgreSQL database is
   installed.
@@ -34,7 +34,7 @@ See the following topics for server requirements:
 - [Client Requirements](/docs/threatmanager/3.0/requirements/client.md)
 - [Ports Requirements](/docs/threatmanager/3.0/requirements/ports.md)
 
-Target Environment Considerations
+**Target Environment Considerations**
 
 The target environment encompasses all servers, devices, or infrastructure being monitored by
 Netwrix Threat Prevention or Netwrix Activity Monitor in addition to data collected by Netwrix
diff --git a/docs/threatmanager/3.0/requirements/server.md b/docs/threatmanager/3.0/requirements/server.md
@@ -20,7 +20,7 @@ Additionally the server must meet these requirements:
 
 - US English language installation
 
-RAM, CPU, and Disk Space
+**RAM, CPU, and Disk Space**
 
 These are dependent upon the total number of daily events sent to Threat Manager. It is suggested to
 use the total events for a peak day of the week, by activity.
@@ -60,7 +60,7 @@ Minimum hardware requirements:
 
 - 150 GB Disk Space
 
-Additional Server Requirements
+**Additional Server Requirements**
 
 The following are additional requirements for the application server:
 
@@ -70,7 +70,7 @@ The following are additional requirements for the application server:
 - VC++ redist v14.28.29914
 - Python v3.10.8x64
 
-Additional Considerations when Database is on the Application Server
+**Additional Considerations when Database is on the Application Server**
 
 The following considerations must be accommodated for:
 
@@ -81,7 +81,7 @@ The following considerations must be accommodated for:
 - Disk Defragmentation jobs should never be performed on the drive containing Threat Manager
   PostgreSQL database. This can cause operational issues with the PostgreSQL database.
 
-Permissions for Installation and Application Use
+**Permissions for Installation and Application Use**
 
 The following permissions are required to install and use the application:
 
diff --git a/docs/threatmanager/3.0/threats/activedirectory.md b/docs/threatmanager/3.0/threats/activedirectory.md
diff --git a/static/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteSelected.webp b/static/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteSelected.webp
diff --git a/static/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteUnselectedTM.webp b/static/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteUnselectedTM.webp
