netwrix
diff --git a/‎docs/threatmanager/3.0/administration/configuration/threatdetection/threatconfiguration.md‎
Lines changed: 3 additions & 3 deletions b/‎docs/threatmanager/3.0/administration/configuration/threatdetection/threatconfiguration.md‎
Lines changed: 3 additions & 3 deletions
diff --git a/‎docs/threatmanager/3.0/administration/investigations/auditcompliance.md‎
Lines changed: 16 additions & 16 deletions b/‎docs/threatmanager/3.0/administration/investigations/auditcompliance.md‎
Lines changed: 16 additions & 16 deletions
diff --git a/‎docs/threatmanager/3.0/administration/investigations/favorites.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/threatmanager/3.0/administration/investigations/favorites.md‎
Lines changed: 2 additions & 2 deletions
@@ -20,7 +20,7 @@ The Processing tab contains the configuration options for processing the threat.
 
 ![This screenshot displays the Processing tab.](/img/product_docs/threatmanager/3.0/administration/configuration/processingtab.webp)
 
-General:
+**General:**
 
 - Status – When set to ON, this threat will be detected by Threat Manager. When set to OFF, this
   threat will not be detected by Threat Manager. When a threat status is **OFF**and then set to
@@ -45,7 +45,7 @@ General:
     - Informational – Indicates first-time client use or first-time host use, which can be common
       events but may also indicate a threat
 
-Threat Response:
+**Threat Response:**
 
 Assigning a threat response designates a playbook to automatically be executed immediately when a
 threat of this type is detected.
@@ -56,7 +56,7 @@ threat of this type is detected.
   detected. Select Off to turn off forwarding threat information to a SIEM service.
 - Run Playbook – Select the playbook that will be used to respond to the threat.
 
-Rollup:
+**Rollup:**
 
 **NOTE:** Rollup is not available for all threat types.
 
 
@@ -27,19 +27,19 @@ Every report generated by an investigation query displays the same type of infor
 
 By default, this folder contains the following saved investigations:
 
-| Investigation                          | Description                                                                           | Filters                                                                                                                                                                                                   |
-| -------------------------------------- | ------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| AD Changes                             | All Active Directory changes                                                          | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Change                                                                                            |
-| AD Changes by Domain Admins            | All Active Directory changes by Domain Admins                                         | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Change AND - Attribute 2 = Tag (Effective) - Operator 2 = Equals - Filter 2 = Domain Admin |
-| AD Logins                              | Active Directory logins including Kerberos and NTLM authentication                    | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = Active Directory Authentication                                                                                    |
-| All Events                             | New Investigation                                                                     | No filters set                                                                                                                                                                                            |
-| Confirmed Compromised Account Activity | Occurs when a Confirmed Compromised Account is being active within an Entra ID tenant | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter 1 = Confirmed Compromised                                                                                               |
-| Failed AD Logins                       | All failed Active Directory logins including Kerberos and NTLM authentication         | Two filter statements set: - Attribute 1 = Event Operation - Operator 1 = Equals - Filter 1 = Active Directory Authentication AND - Attribute 2 = Success - Operator 2 = Equals - Filter 2 = false        |
-| Failed Entra ID Logins                 | Occurs when an Entra ID login attempt has failed                                      | Two filter statements set: - Attribute = Event Operation - Operator = Equals - Filter 1 = EntraID Sign-In And - Attribute = Success - Operator = Equals - Filter 2 = False                                |
-| LDAP Search                            | All LDAP search events                                                                | One filter statement set: - Attribute = Event Operation - Operator = Equals - Filter = LDAP Search                                                                                                        |
-| Privileged Account Activity            | All activity by privileged accounts                                                   | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Privileged                                                                                                            |
-| Risky User Activity                    | Occurs when a Risky User is being active within an Entra ID tenant                    | One filter statement set: Attribute = Tag (Direct) Operator = Equals Filter 1 = At Risk                                                                                                                   |
-| Service Account Activity               | All activity by service accounts                                                      | One filter statement set: - Attribute = Tag (Direct) - Operator = Equals - Filter = Service Account                                                                                                       |
-| Watchlist User Activity                | All activity by watchlist users                                                       | One filter statement set: - Attribute = Tag (Effective) - Operator = Equals - Filter = Watchlist                                                                                                          |
-
-You can save additional investigations to this folder.
+| Investigation | Description | Filters |
+| --- | --- | --- |
+| AD Changes | All Active Directory changes | One filter statement set: <br /><ul><li>Attribute = Event Operation</li><li>Operator = Equals</li><li>Filter = Active Directory Change</li></ul> |
+| AD Changes by Domain Admins | All Active Directory changes by Domain Admin>s | Two filter statements set: <br /><ul><li> Attribute 1 = Event Operation</li><li>Operator 1 = Equals</li><li>Filter 1 = Active Directory Change</li></ul><p>AND</p><ul><li>Attribute 2 = Tag (Effective)</li><li>Operator 2 = Equals</li><li>Filter 2 = Domain Admin</li></ul> |
+| AD Logins | Active Directory logins including Kerberos and NTLM authentication | One filter statement set: <br /><ul><li> Attribute = Event Operation</li><li>Operator = Equals</li><li>Filter = Active Directory Authentication</li></ul> |
+| All Events | New Investigation | No filters set |
+| Confirmed Compromised Account Activity | Occurs when a Confirmed Compromised Account is being active within an Entra ID tenant | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter 1 = Confirmed Compromised</li></ul> |
+| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set: <br /><ul><li>Attribute 1 = Event Operation</li><li>Operator 1 = Equals</li><li>Filter 1 = Active Directory Authentication</li></ul><p>AND</p><ul><li>Attribute 2 = Success</li><li>Operator 2 = Equals</li><li>Filter 2 = false</li></ul> |
+| Failed Entra ID Logins | Occurs when an Entra ID login attempt has failed | Two filter statements set: <br /><ul><li>Attribute = Event Operation</li><li>Operator = Equals</li><li>Filter 1 = EntraID Sign-In</li></ul><p>AND</p><ul><li> Attribute = Success</li><li>Operator = Equals</li><li>Filter 2 = False</li></ul> |
+| LDAP Search | All LDAP search events | One filter statement set: <br /><ul><li>Attribute = Event Operation</li><li> Operator = Equals</li><li>Filter = LDAP Search</li></ul> |
+| Privileged Account Activity | All activity by privileged accounts | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter = Privileged</li></ul> |
+| Risky User Activity  | Occurs when a Risky User is being active within an Entra ID tenant | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter 1 = At Risk</li></ul> |
+| Service Account Activity | All activity by service accounts | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter = Service Account</li></ul> |
+| Watchlist User Activity | All activity by watchlist users | One filter statement set: <br /><ul><li>Attribute = Tag (Effective)</li><li>Operator = Equals</li><li>Filter = Watchlist</li></ul> |
+
+You can save additional investigations to this folder.
@@ -30,14 +30,14 @@ pane. Click the investigation there to open it.
 
 There is an empty star icon beside the name of an investigation not identified as a favorite.
 
-![Empty star showing that investigation is not a favorite](/img/product_docs/threatprevention/7.5/reportingmodule/investigations/favoriteselectedtm.webp)
+![Empty star showing that investigation is not a favorite](/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteUnselectedTM.webp)
 
 Click the star to add the investigation to your Favorites list.
 
 ## Remove an Investigation from Your Favorites
 
 There is a yellow star icon beside the name of an investigation identified as a favorite.
 
-![Favorite investigation star icon selected](/img/product_docs/threatprevention/7.5/reportingmodule/investigations/favoriteselectedtm.webp)
+![Favorite investigation star icon selected](/img/product_docs/threatmanager/3.0/administration/investigations/FavoriteSelected.webp)
 
 Click the yellow star to remove the investigation from your Favorites list.