netwrix · jeremymoskowitz-netwrix · Oct 29, 2025 · Oct 29, 2025 · Oct 31, 2025 · Nov 3, 2025
diff --git a/.claude/settings.local.json b/.claude/settings.local.json
@@ -86,4 +86,4 @@
     ],
     "deny": []
   }
-}
+}
diff --git a/.vscode/settings.json b/.vscode/settings.json
@@ -51,4 +51,4 @@
   "files.exclude": {
     "**/.docusaurus": true
   }
-}
+}
diff --git a/README.md b/README.md
@@ -399,3 +399,4 @@ Create a PR to the dev branch, and then main when ready for production.
 ## 📄 License
 
 This documentation site is MIT licensed and open source, and is maintained by Netwrix Corporation.
+
diff --git a/context7.json b/context7.json
@@ -8,3 +8,4 @@
   "rules": [],
   "previousVersions": []
 }
+
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "overview"
   }
-}
+}
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "overview"
   }
-}
+}
@@ -134,3 +134,4 @@ Follow the steps to delete a custom alert.
 prompting you to confirm the deletion of the alert.
 
 **Step 4 –** Click **Yes**. The alert is deleted from the system.
+
@@ -107,3 +107,4 @@ organization admins by email.
 
 You may also link to a third-party ticketing system. See the
 [Third-party systems](/docs/1secure/integration/overview.md) topic for additional information.
+
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "overview"
   }
-}
+}
@@ -103,3 +103,4 @@ one or more filters at a time.
     - 7 Days
     - 30 Days
     - 90 Days
+
@@ -100,3 +100,4 @@ by User report.
 ## Organization Configuration
 
 Click the Configure button to navigate to the configuration page of the organization.
+
@@ -126,3 +126,4 @@ Organizations list.
     - 30 Days
     - 90 Days
     - 365 Days
+
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "overview"
   }
-}
+}
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "activedirectoryauditing"
   }
-}
+}
@@ -44,3 +44,4 @@ initiator (user) name in the "_Who_" field of reports, search results and activi
 For more information on gMSA, refer to [Using Group Managed Service Account (gMSA)](/docs/1secure/admin/datacollection/gmsa.md)
 and to
 [Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
+
@@ -49,3 +49,4 @@ Programs → Exchange Management Shell**.
         `<Path_To_SetAALExcludedCmdlets_File>.\SetAALExcludedCmdlets.ps1`
 
     Make sure your policies allow script execution.
+
@@ -21,3 +21,4 @@ Perform this procedure only if the account selected for data collection is not a
     `New-ManagementRoleAssignment -Name "AuditLogsNetwrixRole" -User Corp\jsmith -Role "Audit Logs"`
 
     In this example, the user CORP\jsmith has been assigned the **Audit Logs** role.
+
@@ -59,3 +59,4 @@ Enter. The group policy will be updated.
 domain controllers.
 
 **Step 9 –** Ensure that new GPO settings applied on any audited domain controller.
+
@@ -34,3 +34,4 @@ press **Enter**. The group policy will be updated.
 domain controllers.
 
 **Step 9 –** Ensure that new GPO settings applied on any audited domain controller.
+
@@ -36,3 +36,4 @@ permissions for the **Deleted Objects** container in the **corp.local** domain.
 let this user view the contents of the **Deleted Objects** container, but do not let this user make
 any changes to objects in this container. These permissions are equivalent to the default
 permissions that are granted to the **Domain Admins** group.
+
@@ -71,3 +71,4 @@ press Enter. The group policy will be updated.
 domain controllers.
 
 **Step 13 –** Ensure that new GPO settings were applied to the domain controllers.
+
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "overview"
   }
-}
+}
@@ -61,3 +61,4 @@ domain controllers.
 **Step 9 –** Ensure that new GPO settings applied on any audited domain controller.
 
 The policy is now configured.
+
@@ -35,3 +35,4 @@ information on gMSA, see the following:
 
 On the **Netwrix Cloud Agent**'s host, the gMSA account must be a member of the local Administrators
 group.
+
@@ -23,3 +23,4 @@ Support for modern authentication will allow you to audit the organizations wher
 all users, including service accounts. See the
 [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md)
 topic for additional information.
+
@@ -15,3 +15,4 @@ Entra ID application, formerly Azure AD. This app should be created manually by
 administrative role and assigned required permissions. See the
 [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md)
 topic for additional information.
+
@@ -95,3 +95,4 @@ To create a new gMSA in the root domain using PowerShell:
 
 To learn about the data collecting account, which collects data from the monitored items, go
 to [Data Collecting Account](/docs/1secure/admin/datacollection/overview.md) article.
+
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "overview"
   }
-}
+}
@@ -33,3 +33,4 @@ Do the following:
 
 [Assigning Permission To Read the Registry Key](/docs/1secure/admin/datacollection/activedirectoryauditing/permissionsregistrykeys.md) how
 to do it using Registry Editor.
+
@@ -19,3 +19,4 @@ required:
   the Domain Admins group or non-administrative account. See
   [Configure Non-Administrative Account to Collect Logon Activity ](/docs/1secure/admin/datacollection/logonactivity/nondomainadmin.md)for more
   information;
+
@@ -31,4 +31,4 @@ The Netwrix 1Secure data collection workflow is as follows:
 
 **Step 2 –** Install the agent. See the [Install Agent](docs\1secure\install\installagent.md) topic for additional information.
 
-Once you have added the organization and selected the domain for collecting the data, Netwrix 1Secure starts collecting audit data from the managed Active Directory, Azure AD domain, a computer, an Exchange Online, or a SharePoint Online collection.
+Once you have added the organization and selected the domain for collecting the data, Netwrix 1Secure starts collecting audit data from the managed Active Directory, Azure AD domain, a computer, an Exchange Online, or a SharePoint Online collection.
@@ -38,3 +38,4 @@ assigned required permissions. This app will allow you to collect activity. See
 topic for additional information.
 
 ##
+
@@ -28,3 +28,4 @@ Netwrix 1Secure Website is the presentation layer of the product that retrieves
 SQL database and presents it to users. Users can access this web portal with their corporate
 credentials using Azure AD Authentication (OAuth 2.0). Data is retrieved via API calls made on the
 user's behalf.
+
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "login"
   }
-}
+}
@@ -110,3 +110,4 @@ click **Continue**. The Enter Your Password page is displayed.
 **Step 7 –** Click the **Reset Password** button. The password of the account has been reset.
 
 Once you have reset your account password, log in to 1Secure with your new credentials.
+
@@ -140,3 +140,4 @@ It is recommended to copy these settings and keep them safe.
 - Directory (tenant) ID – A tenant ID for the registered application
 - Client Secret – A client secret value generated when a new client secret key is created for the
   registered application. See the [Generate Client Secret Value](/docs/1secure/configuration/registerconfig/registerconfig.md#generate-client-secret-value) topic for additional information.
+
@@ -23,3 +23,4 @@ Follow the steps to review notifications.
 ![notifications](/images/1secure/admin/notifications.webp)
 
 **Step 3 –** Select **Fix**.
+
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "overview"
   }
-}
+}
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "addingusers"
   }
-}
+}
@@ -234,3 +234,4 @@ A dialog box is displayed, prompting you to confirm the deletion of the user.
 **Step 5 –** Click **Yes**.
 
 The user is deleted.
+
@@ -134,3 +134,4 @@ This table explains the functionality that each role can perform on an organizat
 | Turn on/off subscription | Yes | No              | Yes                       |
 | Delete subscription      | Yes | No              | Yes                       |
 | Go to related report     | Yes | No              | Yes                       |
+
@@ -85,3 +85,4 @@ information.
 organization.
 
 The organization is now added.
+
@@ -90,3 +90,4 @@ Follow the steps to view the site for the organization.
   organization
 
 **Step 3 –** You can edit or delete the site by clicking the **Edit** or **Bin** icon.
+
@@ -80,3 +80,4 @@ settings. See the
 [Add a Source and Connectors for Microsoft Entra ID](/docs/1secure/admin/organizations/sourcesandconnectors/entraid.md) or
 [Add a Source and Connectors for Active Directory](/docs/1secure/admin/organizations/sourcesandconnectors/activedirectory.md) topics
 for additional information.
+
@@ -23,3 +23,4 @@ Organization page.
 - You can enable MFA, configure reports branding and adjust other settings for your organization on
   this page.
 - You can also delete your organization and wipe all of the data here.
+
@@ -24,3 +24,4 @@ You can delete a credential if no sources are using those credentials.
 
 
 ![credentials](/images/1secure/admin/organizations/credentials.webp)
+
@@ -79,3 +79,4 @@ A dialog box is displayed, prompting you to confirm the deletion of the group.
 **Step 3 –** Click **Yes**.
 
 The organization group is deleted from the system.
+
@@ -37,3 +37,4 @@ See the following topics for additional information:
 - [Add Users](/docs/1secure/admin/organizations/addingusers/addingusers.md)
 - [Sources and Connectors](/docs/1secure/admin/organizations/sourcesandconnectors/overview.md)
 - [ Manage Credentials ](/docs/1secure/admin/organizations/managingcredentials.md)
+
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "overview"
   }
-}
+}
@@ -109,3 +109,4 @@ Directory. Specufy the following:
 **Step 11 –** Click **Finish**.
 
 The Active Directory data source and connector(s) have been configured.
+
@@ -124,3 +124,4 @@ the following:
 **Step 10 –** Click **Finish**.
 
 The Computer data source and connector have been configured.
+
@@ -84,3 +84,4 @@ ID. Specify the following:
 **Step 8 –** Click **Finish**.
 
 The Microsoft Entra ID data source and connector(s) have been configured.
+
@@ -79,3 +79,4 @@ Specify the following:
 **Step 8 –** Click **Finish**.
 
 The Exchange Online data source and connector have been configured.
+
@@ -27,3 +27,4 @@ Before adding a data source, make sure its prerequisites are met. See the
 additional information.
 
 :::
+
@@ -114,3 +114,4 @@ Online. Specify the following:
 **Step 8 –** Click **Finish**.
 
 The SharePoint Online data source and connector(s) have been configured.
+
@@ -97,3 +97,4 @@ generate logon reports on SQL Server data. See the
 **Step 11 –** Click **Finish**.
 
 The SQL Server data source and connector have been configured.
+
@@ -50,3 +50,4 @@ dashboards with the data applicable to your organization. These includes the fol
   days
 
 To get back to the organization tabs, click **Configure** on the upper right of the page.
+
@@ -15,3 +15,4 @@ Major benefits:
 - Detect system alerts — on premises and in the cloud
 - Increase productivity of IT Managed Service Provider team
 - Providing overall reports based on the search parameters
+
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "riskprofiles"
   }
-}
+}
@@ -31,3 +31,4 @@ certain profiles if they have been modified.
 | Expired Domain Registrations Found (Binary)                                 | Expired domains can be used for any attack vector that exploits an organization’s identity, such as account takeovers or phishing campaigns. Monitoring domain registration for the organization can help detect and alert on attempts to exploit this attack path.                                                                                                                                                                                                                                                                                                                                                                                                                                                |
 | MS Graph Powershell Service Principal Assignment Not Enforced (Binary)      | Checks if the assignment for MsGraph Powershell is required. By default, Azure tenants allow all users to access Microsoft Graph PowerShell Module. This allows any authenticated user or guest the ability to abuse Dangerous Default Permissions, as well as enumerate the entire tenant.                                                                                                                                                                                                                                                                                                                                                                                                                        |
 | Third-Party Applications Allowed (Binary)                                   | Third-party integrated applications are allowed to run in the organization's Office 365 environment if you authorize them to do so. This configuration is considered insecure because a user may grant permissions to a malicious application without fully understanding the security implications. A user who installs a malicious third-party application is in effect compromised. Additionally, there are documented cases of a malicious actor gaining access to sensitive information by enticing a user to allow a third-party integrated application to run within their O365 Tenant.                                                                                                                     |
+
@@ -314,3 +314,4 @@ one if needed.
 [Add a Subscription](/docs/1secure/admin/searchandreports/subscriptions.md#add-a-subscription) topic for additional
 information on adding a subscription, starting at Step 6. Remember to select the Include Low Risks
 check box if you want to include low risks in the report.
+
@@ -236,3 +236,4 @@ settings. This button is enabled if the default settings have been modified.
 **Step 8 –** Click **Save**.
 
 The risk metric is added back to the risk profile.
+
@@ -125,3 +125,4 @@ that lists the managed organizations defined in 1Secure.
 prompting you to confirm the deletion.
 
 **Step 4 –** Click **Yes**. The risk profile is deleted from the system.
+
@@ -7,4 +7,4 @@
     "type": "doc",
     "id": "overview"
   }
-}
+}
@@ -156,3 +156,4 @@ For options displayed in the Operator drop-down menu, see the
 You can subscribe to Activity reports to receive them automatically via email, or have them uploaded
 to a specified folder in SharePoint Online. See the [Subscriptions](/docs/1secure/admin/searchandreports/subscriptions.md) topic for
 additional information.
+
@@ -118,3 +118,4 @@ This table provides a list of filters and descriptions.
 | Succeeded   | Whether you specify False or True in the Value column, you will see successful (True) or non-succesful (False) actions in the system.                                                                                                                                                                                                                            |
 | Tags        | Narrow your search to specific tags. For example, if you have the linked tags "Account Disabled", "User Account Status Change", the search system will look into the activities with these tags, The tags are linked to the Netwrix 1Secure by default.                                                                                                          |
 | Time of Day | Limits your search to specific time period by hours. For example, you can narrow your search to a period less than 12:00 AM.                                                                                                                                                                                                                                     |
+
@@ -39,3 +39,4 @@ the left pane to view its All Self Audit Activity report.
 You can apply more filters if required. Select a filter, operator, and value, then click **Search**.
 The report displays data based on the applied filters.
 Y
+
@@ -63,3 +63,4 @@ This table provides a list of filters and descriptions.
 | Account     | Limits your search to a specific account. Account is an instance of a user, specific to a source. For example:<br /> User = John.Smith <br /> Account = AD User: John.Smith / Azure User: John.Smith |
 | User        | Limits your search to a specific user.                                                                                                                                                  |
 | Source Type | Specify the source type of the user: <br /><ul><li>AD User</li><li>Azure User</li><li>Windows Local User</li></ul>                                                                                                        |
+
@@ -128,3 +128,4 @@ This table provides a list of filters and descriptions.
 | Sensitive Data Types                              | Lists the documents based on the sensitive data type they contain. Available data types are:<br /><ul><li>PII</li><li>Financial Records</li><li>GDPR Restricted</li><li>GDPR</li><li>GLBA</li><li>HIPAA</li><li>PCI DSS</li><li>PHI</li><li>CCPA</li><li>CMMC</li><li>Credentials</li></ul>                                                                                                                                                                                                                                                                                                                                                                                                         |
 | Sensitive Data Criteria                           | Lists the documents based on a sensitive data criteria. Each data type (e.g., PII) may have multiple data criteria, like PII >> Denmark, PII >> French passport, PII >> France, and so on.                                                                                                                                                                                                                                                                                                                                                                                                                         |
 | Sensitivity Label                                 | Lists the documents based on a sensitivity label. For example, if you specify a label named "sensitive", it lists all the documents with that label. Sensitivity labels are applied to documents on the basis of the settings configured for the SharePoint Online Data Classification connector in the SharePoint Online data source. See step 7 in the [Add a Source and Connectors for SharePoint Online](/docs/1secure/admin/organizations/sourcesandconnectors/sharepointonline.md) topic for additional information.                                                                                                          |
+
@@ -104,3 +104,4 @@ by different icons, enabling you to distinguish between them.
 **Delete**.
 
 The custom report is deleted from the system.
+
@@ -53,3 +53,4 @@ based on it. See the [Apply Filters](/docs/1secure/admin/searchandreports/applyf
 
 **Step 4 –** Click **Export**. The investigation results report is sent to you as an .xlsx file by
 email.
+
-Original file line number
+Diff line change
@@ Expand Up / @@ -86,4 +86,4 @@ @@
         ],
         "deny": []
       }
-    }
+    }
Original file line number	Diff line number	Diff line change
Expand Up		@@ -399,3 +399,4 @@ Create a PR to the dev branch, and then main when ready for production.
		## 📄 License

		This documentation site is MIT licensed and open source, and is maintained by Netwrix Corporation.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -134,3 +134,4 @@ Follow the steps to delete a custom alert.
		prompting you to confirm the deletion of the alert.

		Step 4 – Click Yes. The alert is deleted from the system.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -107,3 +107,4 @@ organization admins by email.

		You may also link to a third-party ticketing system. See the
		[Third-party systems](/docs/1secure/integration/overview.md) topic for additional information.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -103,3 +103,4 @@ one or more filters at a time.
		- 7 Days
		- 30 Days
		- 90 Days
Original file line number	Diff line number	Diff line change
Expand Up		@@ -100,3 +100,4 @@ by User report.
		## Organization Configuration

		Click the Configure button to navigate to the configuration page of the organization.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -126,3 +126,4 @@ Organizations list.
		- 30 Days
		- 90 Days
		- 365 Days
Original file line number	Diff line number	Diff line change
Expand Up		@@ -44,3 +44,4 @@ initiator (user) name in the "_Who_" field of reports, search results and activi
		For more information on gMSA, refer to [Using Group Managed Service Account (gMSA)](/docs/1secure/admin/datacollection/gmsa.md)
		and to
		[Microsoft documentation](https://docs.microsoft.com/en-us/windows-server/security/group-managed-service-accounts/group-managed-service-accounts-overview).
Original file line number	Diff line number	Diff line change
Expand Up		@@ -49,3 +49,4 @@ Programs → Exchange Management Shell**.
		`<Path_To_SetAALExcludedCmdlets_File>.\SetAALExcludedCmdlets.ps1`

		Make sure your policies allow script execution.
Original file line number	Diff line number	Diff line change
Expand Up		@@ -21,3 +21,4 @@ Perform this procedure only if the account selected for data collection is not a
		`New-ManagementRoleAssignment -Name "AuditLogsNetwrixRole" -User Corp\jsmith -Role "Audit Logs"`

		In this example, the user CORP\jsmith has been assigned the Audit Logs role.