diff --git a/docs/1secure/index.md b/docs/1secure/index.md
index cae8bf51d6..cbdef52675 100644
--- a/docs/1secure/index.md
+++ b/docs/1secure/index.md
@@ -5,6 +5,21 @@ sidebar_position: 1
---
# Netwrix 1Secure Documentation
-Netwrix 1Secure is a simple SaaS application that helps you analyze both on-premises and cloud environments. The application collects data within the IT infrastructure and notifies you on any actions made to the organization. These actions may include account creation or deletion, changes to group memberships, changes to the organization, etc.
-Netwrix 1Secure allows Managed Service Providers to generate a variety of reports to investigate incidents and suspicious activities across the IT environment.
\ No newline at end of file
+Netwrix 1Secure is a Microsoft Azure-hosted, multi-tenant SaaS application that provides a single location to monitor and audit both on-premises and cloud environments. The application collects data from your IT infrastructure and notifies you of actions made to the organization, such as account deletions, account additions, group membership changes, and configuration changes.
+
+Netwrix 1Secure serves Managed Service Providers (MSPs) who manage multiple client organizations. MSPs use 1Secure to run reports, investigate incidents, detect suspicious activity, and analyze security risks across all managed organizations.
+
+## Key capabilities
+
+- [**Dashboard**](/docs/1secure/admin/dashboard/overview.md) — A unified dashboard showing alerts, risk levels, and health status across all managed organizations.
+- [**Incident investigation**](/docs/1secure/admin/searchandreports/overview.md) — Flexible search and custom reports to find who changed what, when, and where across Active Directory, Microsoft Entra ID, Computer, Exchange Online, and SharePoint Online environments.
+- [**Risk assessment**](/docs/1secure/admin/riskprofiles/riskprofiles.md) — Risk profiles with configurable thresholds to identify vulnerabilities such as inactive accounts and stale permissions across managed organizations.
+- [**Alert profiles**](/docs/1secure/admin/alerts/overview.md) — Configurable alerts that detect suspicious activity on-premises and in the cloud and deliver notifications by email or through ticketing systems.
+- [**Third-party integrations**](/docs/1secure/integration/overview.md) — Connects to ConnectWise and ServiceNow for ticket management, with support for report delivery to SharePoint Online.
+
+```mdx-code-block
+import DocCardList from '@theme/DocCardList';
+
+
+```
\ No newline at end of file
diff --git a/docs/1secure/requirements/CloudAgentRequirements.md b/docs/1secure/requirements/CloudAgentRequirements.md
index cbabbb12f8..275d743662 100644
--- a/docs/1secure/requirements/CloudAgentRequirements.md
+++ b/docs/1secure/requirements/CloudAgentRequirements.md
@@ -7,7 +7,7 @@ sidebar_position: 20
# Netwrix Cloud Agent Requirements
:::warning
-Deploy only one Netwrix Cloud Agent per audited on-premises AD domain. If both Netwrix Auditor and Netwrix 1Secure audit the same domain, ensure that at most one product has network traffic compression service enabled for any of the audited sources.
+Deploy only one Netwrix Cloud Agent per audited on-premises AD domain. If both Netwrix Auditor and Netwrix 1Secure audit the same domain, enable network traffic compression for at most one product across the shared sources.
:::
@@ -29,7 +29,7 @@ Netwrix Cloud Agent requires the following software:
- Windows Installer 3.1 or later
- Windows PowerShell 3.0 or later
-The machine where you plan to deploy the agent must meet the following requirements.
+The agent host must meet the following hardware requirements.
| Hardware component | Evaluation, PoC, or starter environment | Regular environment (up to 1m Activity Records/day) | Large environment (1-10m Activity Records/day) | XLarge environment (10m Activity Records/day or more) |
| ------------------ | -------------------------------------- | --------------------------------------------------- | ---------------------------------------------- | ----------------------------------------------------- |
@@ -38,12 +38,10 @@ The machine where you plan to deploy the agent must meet the following requireme
| Disk space | 200 GB—System drive | 200 GB—System drive | 2 TB—System drive | 1 TB + 1 TB per year —System drive |
| Others | — | — | Network capacity 1 Gbit | Network capacity 1 Gbit |
-## Requirements for outbound communications with a Netwrix Cloud Agent
+## Outbound communication requirements
-To review the security incorporated by the agent in your system, examine the target URL in the
-Configuration.xml file, which is located on the agent host at:
+To review agent security settings, examine the target URL in Configuration.xml, located on the agent host at:
`C:\ProgramData\Netwrix Cloud Agent\AgentCore\ConfigServer\Configuration.xml`
-You must also open the outbound TCP port 443 on the server where the Netwrix Cloud Agent resides.
-See the [Install Agent](/docs/1secure/install/installagent.md) topic
+Open outbound TCP port 443 on the agent host. See [Install Agent](/docs/1secure/install/installagent.md) for installation steps.
diff --git a/docs/1secure/requirements/overview.md b/docs/1secure/requirements/overview.md
index 89b20e8f11..c7f19ce0df 100644
--- a/docs/1secure/requirements/overview.md
+++ b/docs/1secure/requirements/overview.md
@@ -6,9 +6,10 @@ sidebar_position: 20
# Requirements
-This topic provides the requirements for installing Netwrix Cloud Agent and the prerequisites for
-configuring data sources to collect data from various environments.
+Review the Netwrix Cloud Agent software requirements and the prerequisites for each data source you plan to monitor.
-See the following topics for additional information:
-- [Agent Software Requirements](/docs/1secure/requirements/CloudAgentRequirements.md)
-- [Prerequisites for Data Sources](/docs/1secure/requirements/prerequisitesfordatasources.md)
+```mdx-code-block
+import DocCardList from '@theme/DocCardList';
+
+
+```
diff --git a/docs/1secure/requirements/prerequisitesfordatasources.md b/docs/1secure/requirements/prerequisitesfordatasources.md
index b57f2cc016..cf31a70357 100644
--- a/docs/1secure/requirements/prerequisitesfordatasources.md
+++ b/docs/1secure/requirements/prerequisitesfordatasources.md
@@ -6,12 +6,12 @@ sidebar_position: 10
# Prerequisites for Data Sources
-This section lists platforms and systems that can be monitored with Netwrix 1Secure.
+The following table lists the platforms and versions that Netwrix 1Secure can monitor.
| Data source | Supported Versions |
| --- | ---|
| Active Directory (including Logon Activity) | Domain Controller OS versions:
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
|
-| Microsoft Entra ID | Microsoft Entra ID version provided within Microsoft Office 365 Depending on the authentication method you use to collect Azure AD and Office 365 data, additional configuration steps may be required. See the [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md) topic for additional information. |
-| Computer (Windows File Server) | - Windows Server OS
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Desktop OS (32 and 64-bit)
- Windows 10
- Windows 8.1
- Windows 7
Consider the following:
- To collect data from 32-bit operating systems, network traffic compression must be disabled.
- To collect data from Windows Failover Cluster, network traffic compression must be enabled.
- Scale-Out File Server (SOFS) cluster isn't supported.
|
-| SharePoint Online | Azure Active Directory version provided within Microsoft Office 365 Depending on the authentication method you use to collect SharePoint Online and OneDrive for Business data, additional configuration steps may be required. See the [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md) topic for additional information. |
-| Exchange Online | Azure Active Directory version provided within Microsoft Office 365 Depending on the authentication method you use to collect Exchange Online data, additional configuration steps may be required. See the [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md) topic for additional information.
\ No newline at end of file
+| Microsoft Entra ID | Microsoft Entra ID, as provided within Microsoft 365. Depending on your authentication method, you may need additional configuration. See [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md) for details. |
+| Computer (Windows File Server) | - Windows Server OS
- Windows Server 2022
- Windows Server 2019
- Windows Server 2016
- Windows Server 2012 R2
- Windows Desktop OS (32 and 64-bit)
- Windows 10
- Windows 8.1
- Windows 7
Additional requirements:
- Disable network traffic compression for 32-bit operating systems.
- Enable network traffic compression for Windows Failover Cluster.
- Netwrix 1Secure doesn't support Scale-Out File Server (SOFS) clusters.
|
+| SharePoint Online | Microsoft Entra ID, as provided within Microsoft 365. Depending on your authentication method, you may need additional configuration. See [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md) for details. |
+| Exchange Online | Microsoft Entra ID, as provided within Microsoft 365. Depending on your authentication method, you may need additional configuration. See [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md) for details. |
\ No newline at end of file
diff --git a/docs/1secure/setup-and-configuration/index.md b/docs/1secure/setup-and-configuration/index.md
index d4ec2962c5..e3e8e5b4de 100644
--- a/docs/1secure/setup-and-configuration/index.md
+++ b/docs/1secure/setup-and-configuration/index.md
@@ -1,18 +1,22 @@
+---
+title: "Configure IT Infrastructure for Auditing and Monitoring"
+description: "Configure IT Infrastructure for Auditing and Monitoring"
+sidebar_position: 10
+---
+
# Configure IT Infrastructure for Auditing and Monitoring
-You can configure your IT Infrastructure for monitoring in one of the following ways:
+You can configure your IT infrastructure for monitoring in one of the following ways:
-- Automatically when creating an organization. This is a recommended method.
-- Manually. The following table lists the native audit settings that must be adjusted manually to ensure
- collecting comprehensive and reliable audit data. You can enable Netwrix 1Secure to continually
- enforce the relevant audit policies or configure them manually.
+- **Automatically during organization creation** — the recommended method.
+- **Manually** — the following table lists the native audit settings to configure for comprehensive and reliable audit data collection. Netwrix 1Secure can continually enforce the relevant audit policies, or you can manage them yourself.
| Data source | Provided connectors | Required configuration |
| ----------------- | --------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
-| Active Directory | Active Directory Activity | In the audited environment: See [Configure Domain for Monitoring Active Directory](/docs/1secure/configuration/admanual/cfgmanual.md) for related settings and procedures. On the computer where Netwrix Cloud Agent is installed: - If you have enabled automatic log backup for the Security log of your domain controller, you can instruct Netwrix 1Secure to clear the old backups automatically. For that, use the **CleanAutoBackupLogs** registry key Adjust the retention period for the backup files accordingly (default is **50** hours). - To provide for event data collection, the Secondary Logon service must be running. Open **Administrative Tools**→**Services**, right-click the **Secondary Logon** service and on the **General** tab ensure that **Startup type** for this service is other than _Disabled_. |
-| Active Directory | Active Directory Logons | In the audited environment: - The following policies must be set to _"Success"_ and _"Failure"_ for the effective domain controllers policy: - Audit Logon Events - Audit Account Logon Events - The Audit system events policy must be set to _"Success"_ for the effective domain controllers policy. - The Advanced audit policy settings can be configured instead of basic. - The Maximum Security event log size must be set to 4GB. The retention method of the Security event log must be set to _“Overwrite events as needed”_ or _"Archive the log when full"_. - The following Windows Firewall inbound rules must be enabled: - Remote Event Log Management (NP-In) - Remote Event Log Management (RPC) - Remote Event Log Management (RPC-EPMAP) |
-| Azure AD | Azure AD Activity Azure AD Logons | No special settings are required. Remember to do the following: Configure Azure AD app as described in [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md) section. |
-| Computer | File Server Activity | **In the audited environment** - For a security principal (e.g., Everyone), the following options must be configured in the Advanced Security → Auditing settings for the audited shared folders:
- List Folder / Read Data (Files only): _"Success"_ and _"Fail"_
- List Folder / Read Data (This folder, subfolders, and files): _"Fail"_
- Create Files / Write Data\* : _"Success"_ and _"Fail"_
- Create Folders / Append Data\* : _"Success"_ and _"Fail"_
- Write Extended Attributes\* : _"Success"_ and _"Fail"_
- Delete Subfolders and Files\* : _"Success"_ and _"Fail"_
- Delete\* : _"Success"_ and _"Fail"_
- Change Permissions\* : _"Success"_ and _"Fail"_
- Take Ownership\* : _"Success"_ and _"Fail"_
- Select _"Fail_" only if you want to track failure events; it isn't required for success events monitoring. If you want to get only state-in-time snapshots of your system configuration, limit your settings to the permissions marked with \* and set it to _"Success"_ (Apply onto: This folder, subfolders, and files).
The following Advanced audit policy settings must be configured:
- The Audit: Force audit policy subcategory settings (Windows 7 or later) security option must be enabled.
- Depending on your OS version, configure the categories as follows:
- Windows Server 2008:
- Object Access; Audit File Share _"Success"_ ; Audit File System _"Success"_ and _"Failure"_ ; Audit Handle Manipulation _"Success"_ and _"Failure"_ ; Logon/Logoff ; Logon _"Success"_ ; Logoff _"Success"_ ;
- Policy Change: Audit Audit Policy Change: _"Success"_
- System: Security State Change: _"Success"_
- Windows Server 2008 R2 / Windows 7 and above
- Object Access:
- Audit File Share: _"Success"_
- Audit File System: _"Success"_ and _"Failure"_
- Audit Handle Manipulation: _"Success"_ and _"Failure"_
- Audit Detailed file share: _"Failure"_
- Logon/Logoff:
- Logon: _"Success"_
- Logoff: _"Success"_
- Policy Change:
- Audit Audit Policy Change: _"Success"_
- System:
- Security State Change: _"Success"_
- If you want to get only state-in-time snapshots of your system configuration, limit your audit settings to the following policies:
- Object Access:
- Audit File System: _"Success"_
- Audit Handle Manipulation: "Success"
- Audit File Share: "Success"
- Policy Change:
- Audit Audit Policy Change: "Success"
- The following legacy policies can be configured instead of advanced:
- Audit object access policy must set to _"Success"_ and _"Failure"_.
- Audit logon events policy must be set to _"Success"_.
- Audit system events policy must be set to _"Success"_.
- Audit policy change must be set to _"Success"_.
- The Security event log maximum size must be set to 4GB.
- The retention method of the Security event log must be set to _“Overwrite events as needed”_.
- The Remote Registry service must be started.
- The following inbound Firewall rules must be enabled:
- Remote Event Log Management (NP-In)\*
- Remote Event Log Management (RPC)\*
- Remote Event Log Management (RPC-EPMAP)\*
- Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
- Network Discovery (NB-Name-In)
- File and Printer Sharing (NB-Name-In)
- File and Printer Sharing (Echo Request - ICMPv4-In)
- File and Printer Sharing (Echo Request - ICMPv6-In)
- The rules marked with \* are required only if you don't want to use network traffic compression for auditing.
- If you plan to audit Windows Server 2019 or Windows 10 Update 1803 without network compression service, ensure the following inbound connection rules are enabled:
- Remote Scheduled Tasks Management (RPC)
- Remote Scheduled Tasks Management (RPC-EMAP) |
-| SharePoint Online | SharePoint Online Activity | No special settings are required. Remember to do the following: Configure Azure AD app as described in [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md).|
+| Active Directory | Active Directory Activity | **In the audited environment:**
See [Configure Domain for Monitoring Active Directory](/docs/1secure/configuration/admanual/cfgmanual.md) for related settings and procedures.
**On the computer where the Netwrix Cloud Agent is installed:**
- If you enabled automatic log backup for the Security log on your domain controller, 1Secure can clear old backups automatically. Set the **CleanAutoBackupLogs** registry key and adjust the backup file retention period accordingly (default: **50** hours).
- For event data collection, the Secondary Logon service must be running. Open **Administrative Tools** → **Services**, right-click **Secondary Logon**, and on the **General** tab ensure **Startup type** is not set to _Disabled_. |
+| Active Directory | Active Directory Logons | **In the audited environment:**
- Set the following policies to _”Success”_ and _”Failure”_ for the effective domain controllers policy:
- Audit Logon Events
- Audit Account Logon Events
- Set the **Audit system events** policy to _”Success”_ for the effective domain controllers policy.
- Advanced audit policy settings can replace basic audit policy settings.
- Set the Maximum Security event log size to 4GB and the retention method to _”Overwrite events as needed”_ or _”Archive the log when full”_.
- Enable the following Windows Firewall inbound rules:
- Remote Event Log Management (NP-In)
- Remote Event Log Management (RPC)
- Remote Event Log Management (RPC-EPMAP) |
+| Azure AD | Azure AD Activity Azure AD Logons | No special settings are required. Configure the Azure AD app as described in [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md). |
+| Computer | File Server Activity | **In the audited environment:**
For a security principal (e.g., Everyone), configure the following options in **Advanced Security** → **Auditing** for the audited shared folders:
- List Folder / Read Data (Files only): _"Success"_ and _"Fail"_
- List Folder / Read Data (This folder, subfolders, and files): _"Fail"_
- Create Files / Write Data\* : _"Success"_ and _"Fail"_
- Create Folders / Append Data\* : _"Success"_ and _"Fail"_
- Write Extended Attributes\* : _"Success"_ and _"Fail"_
- Delete Subfolders and Files\* : _"Success"_ and _"Fail"_
- Delete\* : _"Success"_ and _"Fail"_
- Change Permissions\* : _"Success"_ and _"Fail"_
- Take Ownership\* : _"Success"_ and _"Fail"_
- Select _"Fail"_ only to track failure events; it isn't required for success event monitoring. To get only state-in-time snapshots, limit your settings to permissions marked with \* and set them to _"Success"_ (Apply onto: This folder, subfolders, and files).
Configure the following Advanced audit policy settings:
- Enable the **Audit: Force audit policy subcategory settings (Windows 7 or later)** security option.
- Depending on your OS version, configure the categories as follows:
- Windows Server 2008:
- Object Access; Audit File Share _"Success"_ ; Audit File System _"Success"_ and _"Failure"_ ; Audit Handle Manipulation _"Success"_ and _"Failure"_ ; Logon/Logoff ; Logon _"Success"_ ; Logoff _"Success"_ ;
- Policy Change: Audit Audit Policy Change: _"Success"_
- System: Security State Change: _"Success"_
- Windows Server 2008 R2 / Windows 7 and above
- Object Access:
- Audit File Share: _"Success"_
- Audit File System: _"Success"_ and _"Failure"_
- Audit Handle Manipulation: _"Success"_ and _"Failure"_
- Audit Detailed file share: _"Failure"_
- Logon/Logoff:
- Logon: _"Success"_
- Logoff: _"Success"_
- Policy Change:
- Audit Audit Policy Change: _"Success"_
- System:
- Security State Change: _"Success"_
- If you want to get only state-in-time snapshots of your system configuration, limit your audit settings to the following policies:
- Object Access:
- Audit File System: _"Success"_
- Audit Handle Manipulation: "Success"
- Audit File Share: "Success"
- Policy Change:
- Audit Audit Policy Change: "Success"
- The following legacy policies can replace advanced settings:
- Set the **Audit object access** policy to _”Success”_ and _”Failure”_.
- Set the **Audit logon events** policy to _”Success”_.
- Set the **Audit system events** policy to _”Success”_.
- Set the **Audit policy change** policy to _”Success”_.
- Set the Security event log maximum size to 4GB.
- Set the Security event log retention method to _”Overwrite events as needed”_.
- Start the Remote Registry service.
- Enable the following inbound Firewall rules:
- Remote Event Log Management (NP-In)\*
- Remote Event Log Management (RPC)\*
- Remote Event Log Management (RPC-EPMAP)\*
- Windows Management Instrumentation (ASync-In)
- Windows Management Instrumentation (DCOM-In)
- Windows Management Instrumentation (WMI-In)
- Network Discovery (NB-Name-In)
- File and Printer Sharing (NB-Name-In)
- File and Printer Sharing (Echo Request - ICMPv4-In)
- File and Printer Sharing (Echo Request - ICMPv6-In)
- The rules marked with \* are required only if you don't want to use network traffic compression for auditing.
- To audit Windows Server 2019 or Windows 10 Update 1803 without the network compression service, enable the following inbound connection rules:
- Remote Scheduled Tasks Management (RPC)
- Remote Scheduled Tasks Management (RPC-EMAP) |
+| SharePoint Online | SharePoint Online Activity | No special settings are required. Configure the Azure AD app as described in [App Registration and Configuration in Microsoft Entra ID](/docs/1secure/configuration/registerconfig/registerconfig.md). |