netwrix · jth-nw · May 13, 2026 · May 12, 2026 · May 13, 2026 · May 13, 2026
@@ -0,0 +1,81 @@
+# CLAUDE.md
+
+This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+
+## Product
+
+**Netwrix 1Secure** is a multi-tenant SaaS application (Azure-hosted) that helps Managed Service Providers (MSPs) audit on-premises and cloud environments across multiple client organizations. The primary audience is MSP IT staff and security analysts managing multiple client tenants.
+
+Always write "Netwrix 1Secure" on first mention; "1Secure" is acceptable thereafter.
+
+## Key Concepts
+
+| Term | Meaning |
+|---|---|
+| MSP | Managed Service Provider — the main user persona; manages multiple client orgs |
+| Organization | A client tenant managed by the MSP within 1Secure |
+| Site | A logical grouping of data sources within an organization |
+| Source | A monitored environment (AD, Computer, Exchange Online, Entra ID, SharePoint Online, SQL Server) |
+| Connector | The configuration that connects 1Secure to a specific source instance |
+| Netwrix Cloud Agent | The on-premises agent that collects data and sends it to the 1Secure cloud |
+| Risk Profile | A named set of risk metrics with thresholds; assigned to an organization |
+| Risk Metric | A measurable security parameter (e.g., inactive accounts, stale permissions) |
+| State-in-Time | A point-in-time snapshot report used for risk assessment |
+
+## Directory Structure
+
+1Secure is a **single-version** SaaS product — no version subdirectories.
+
+```
+docs/1secure/
+├── index.md                    # Product landing page
+├── admin/                      # Core product features and UI reference
+│   ├── dashboard/              # Dashboard and alerts timeline
+│   ├── organizations/          # Org management, users, roles, sources & connectors
+│   │   ├── addingusers/
+│   │   └── sourcesandconnectors/   # Per-source connector setup steps
+│   ├── datacollection/         # Data collection configuration (per source type)
+│   │   ├── activedirectoryauditing/
+│   │   ├── computer/
+│   │   └── logonactivity/
+│   ├── riskprofiles/           # Risk profiles, metrics, dashboard
+│   ├── searchandreports/       # Reports, filters, subscriptions, compliance
+│   ├── alerts/
+│   └── login/
+├── configuration/              # Manual IT infrastructure configuration
+│   ├── admanual/               # Manual AD audit configuration
+│   ├── computer/               # Computer source config
+│   ├── windowsserver/          # Windows Server config
+│   ├── logonactivity/          # Logon Activity config
+│   ├── sqlserver/              # SQL Server config
+│   ├── gpmanual/               # Group Policy config
+│   └── registerconfig/         # Classifier setup (registerconfig)
+├── install/                    # Agent installation
+├── integration/                # Third-party integrations (ConnectWise, ServiceNow, SharePoint)
+├── requirements/               # System requirements and data source prerequisites
+├── security/                   # Security, compliance, and data privacy topics
+├── setup-and-configuration/    # Combined entry point linking setup topics
+└── kb/                         # Knowledge base / troubleshooting articles
+```
+
+## Frontmatter Pattern
+
+Every file uses this frontmatter:
+
+```yaml
+---
+title: "Title here"
+description: "Title here"
+sidebar_position: <integer>
+---
+```
+
+`title` and `description` are always identical. Index/overview pages that use `DocCardList` to auto-list children don't need body content beyond a brief intro.
+
+## Content Patterns
+
+- **Index pages** (`overview.md`, `index.md`): Brief intro + `<DocCardList />` to render child links. Import: `` `import DocCardList from '@theme/DocCardList';` `` inside a `` `mdx-code-block` `` fence.
+- **Configuration sections** often have two paths: automatic (recommended, done through the UI when adding a source) and manual (step-by-step for environments requiring it). Always present both and lead with the automatic method.
+- **`admin/datacollection/`** covers permissions and audit settings the agent needs on the monitored systems — distinct from **`configuration/`**, which covers manual OS/policy configuration steps the admin performs on the target environment.
+- **`admin/organizations/sourcesandconnectors/`** covers UI steps to add sources and connectors in the 1Secure console — distinct from `configuration/`, which is infrastructure-side.
+- Risk metric content lives in `admin/riskprofiles/metrics_list.md`; do not duplicate metric descriptions elsewhere.
@@ -20,7 +20,7 @@ You can access the generated alerts in the following ways:
   [Manage Delivery Settings for an Alert Profile](overview.md#manage-delivery-settings-for-an-alert-profile) topic
   for setting up email notifications.
 
-Follow the steps to view the alerts within an alert profile.
+**To view the alerts within an alert profile:**
 
 **Step 1 –** Navigate to Configuration > Alerts.
 
@@ -41,12 +41,12 @@ You can view the following for each alert in the list:
 - Threshold Period – The threshold period set for the alert. The threshold period is the maximum
   duration, starting from the first activity record, within which the specified number of activity
   records (threshold) must occur to trigger an alert.
-- Batching Period – The batching period set for the alert. The batching period feature allows you to
+- Batching Period – The batching period set for the alert. With the batching period feature, you can
   receive a single notification that includes all alerts triggered during the specified period.
 
 ## Add a Custom Alert
 
-Follow the steps to add a custom alert.
+**To add a custom alert:**
 
 **Step 1 –** Navigate to Configuration > Alerts.
 
@@ -56,7 +56,7 @@ Follow the steps to add a custom alert.
 
 ![New Alert Pane](/images/1secure/admin/alerts/addcustomalert.webp)
 
-**Step 4 –** Select a custom report from the Report drop-down menu to trigger the alert when a new
+**Step 4 –** Select a custom report from the Report dropdown menu to trigger the alert when a new
 record is generated for the report. See the [ Custom Reports](/docs/1secure/admin/searchandreports/customreports.md)
 topic for additional information.
 
@@ -65,28 +65,28 @@ topic for additional information.
 **Step 6 –** Toggle the **Is Active** switch to ON to activate the alert. Notifications are sent for
 active alerts only.
 
-**Step 7 –** Toggle the **Is Grouped** switch to ON, which displays the Grouped On drop-down menu.
+**Step 7 –** Toggle the **Is Grouped** switch to ON, which displays the Grouped On dropdown menu.
 When grouping is enabled, alerts are organized based on the criteria you select in the _Grouped On_
-drop-down menu.
+dropdown menu.
 
-**Step 8 –** Select one of the following options from the **Grouped On** drop-down menu:
+**Step 8 –** Select one of the following options from the **Grouped On** dropdown menu:
 
-- Who – Groups alerts with respect to the user who performed the activity (deleted an account,
+- Who – Groups alerts by the user who performed the activity (deleted an account,
   created a record, etc.)
-- Where – Groups alerts with respect to the location where the activity is performed. For example,
+- Where – Groups alerts by the location where the activity is performed. For example,
   SharePoint Online site, file server, etc.
-- What – Groups alerts with respect to the object the activity is performed on, such as a computer,
+- What – Groups alerts by the object the activity is performed on, such as a computer,
   file, etc.
 
 Example: You have two users, User 1 and User 2, each performing different actions. By setting
-"Grouped On" to "Who", alerts will be generated per user, resulting in two separate alerts — one for
-User 1 and another for User 2. Each alert will include only the activity associated with that
-specific user. If grouping is not enabled, all activities will be consolidated into a single alert
+"Grouped On" to "Who", alerts are generated per user, resulting in two separate alerts — one for
+User 1 and another for User 2. Each alert includes only the activity associated with that
+specific user. If grouping isn't enabled, all activities are consolidated into a single alert
 based on the specified _threshold_ and _threshold period_.
 
 **Step 9 –** In the Threshold field, specify a threshold for the alert. The threshold is the minimum
 number of activity records that must occur within a specified time frame (threshold period) to
-trigger an alert. For example, if the threshold is set to 3, an alert will be triggered when at
+trigger an alert. For example, if the threshold is set to 3, an alert is triggered when at
 least 3 activity records are generated within the specified time frame.
 
 **Step 10 –** In the Threshold Period field, specify a threshold period for the alert. The threshold
@@ -95,12 +95,11 @@ number of activity records (threshold) must occur to trigger an alert. For examp
 is set to 5 and the threshold period is 10 minutes, at least 5 activity records must be generated
 within 10 minutes to trigger an alert.
 
-**Step 11 –** If you do not want alert notifications to be sent to you each time an alert is
-generated, there is a batching period option. In the Batching Period field, specify a batching
-period for the alert. The batching period feature allows you to receive a single notification that
-includes all alerts triggered during the specified period. For example, if the batching period is
-set to 30 minutes (00:30:00) for an alert such as "Computer removed," you will receive a single
-notification for the alerts generated during that time frame, rather than receiving individual
+**Step 11 –** To avoid receiving a notification each time an alert is generated, specify a batching
+period in the Batching Period field. With the batching period feature, you receive a single
+notification that includes all alerts triggered during the specified period. For example, if the
+batching period is set to 30 minutes (00:30:00) for an alert such as "Computer removed," you
+receive a single notification for all alerts generated during that time frame rather than individual
 notifications for each alert.
 
 **Step 12 –** Click **Save**.
@@ -109,7 +108,7 @@ The alert is configured and added to the list.
 
 ## Modify an Alert
 
-Follow the steps to modify a preconfigured or custom alert.
+**To modify a preconfigured or custom alert:**
 
 **Step 1 –** Navigate to Configuration > Alerts.
 
@@ -124,7 +123,7 @@ Follow the steps to modify a preconfigured or custom alert.
 
 ## Delete a Custom Alert
 
-Follow the steps to delete a custom alert.
+**To delete a custom alert:**
 
 **Step 1 –** Navigate to Configuration > Alerts.
 

@@ -6,9 +6,8 @@ sidebar_position: 70
 
 # Alert Profiles
 
-Alert profiles provide a way to easily group alert configurations and delivery notification settings
-together. You can create an alert profile, enable relevant alerts for the profile, and assign it to
-organization(s). Additionally, you can customize delivery settings and specify which user(s) will
+Alert profiles group alert configurations and delivery notification settings together. You can create an alert profile, enable relevant alerts for the profile, and assign it to
+organizations. Additionally, you can customize delivery settings and specify which users will
 receive notifications when alerts in the profile are triggered.
 
 To view the alert profiles, navigate to Configuration > Alerts.
@@ -30,7 +29,7 @@ automatically applied to all managed organizations.
 
 ## Add an Alert Profile
 
-Follow the steps to add an alert profile.
+**To add an alert profile:**
 
 **Step 1 –** Navigate to Configuration > Alerts.
 
@@ -45,13 +44,13 @@ The alert profile is added to the list. You can:
 - Assign this profile to an organization. You can do this when creating a new organization or
   editing an organization. See the [Add Organizations](/docs/1secure/admin/organizations/addorganizations.md) topic
   for additional information.
-- Click the profile to review the list of alerts, enable the desired alerts, make necessary edits
+- Click the profile to review the list of alerts, enable the alerts you want, make necessary edits
   for alerts, and set delivery settings for the alert profile. See [Alerts](/docs/1secure/admin/alerts/alerts.md) topic for
   additional information.
 
 ## Modify the Name of an Alert Profile
 
-Follow the steps to modify the name of an alert profile.
+**To modify the name of an alert profile:**
 
 **Step 1 –** Navigate to Configuration > Alerts.
 
@@ -64,13 +63,13 @@ Follow the steps to modify the name of an alert profile.
 ## Delete an Alert Profile
 
 :::note
-(1) The alert profile named _Netwrix Profile (Default)_ cannot be deleted.
+(1) The alert profile named _Netwrix Profile (Default)_ can't be deleted.
 (2) When an alert profile is deleted, the _Netwrix Profile (Default)_ is automatically assigned to
 the organizations that were previously assigned the deleted profile.
 :::
 
 
-Follow the steps to delete an alert profile.
+**To delete an alert profile:**
 
 **Step 1 –** Navigate to Configuration > Alerts.
 
@@ -84,9 +83,9 @@ prompting you to confirm the deletion of the profile.
 You can receive alerts by email or through the third-party ticket service, as used by the Managed
 Service Providers.
 
-Follow the steps to configure alerts by email.
+**To configure alerts by email:**
 
-**Step 1 –** . Navigate to Configuration > Alerts.
+**Step 1 –** Navigate to Configuration > Alerts.
 
 **Step 2 –** Click an alert profile. The alerts for the profile are displayed in a list.
 
@@ -100,10 +99,10 @@ displayed.
 **Step 5 –** In the Email Addresses field, enter the email address of a recipient for alert
 notifications and click the Add icon. To specify multiple email addresses, add them one by one.
 
-**Step 6 –** Check the **Email Organization Admins** check box to send the alerts to all the
+**Step 6 –** Check the **Email Organization Admins** checkbox to send the alerts to all the
 organization admins by email.
 
 **Step 7 –** Click Save.
 
-You may also link to a third-party ticketing system. See the
+You can also link to a third-party ticketing system. See the
 [Third-party systems](/docs/1secure/integration/overview.md) topic for additional information.
@@ -36,14 +36,14 @@ exact number of alerts for that type.
 The legend maps the colors used in the pie chart to the names of the alert types along with the
 share percentage.
 
-Click an alert type on the legend to disable it. Disabled alert types are not displayed in the pie
-chart. Hence, the pie chart displays only the enabled alert types and their percentage shares with
-respect to each other. You can click a disabled alert type on the legend to enable it.
+Click an alert type on the legend to disable it. Disabled alert types aren't displayed in the pie
+chart. The pie chart displays only the enabled alert types and their percentage shares with
+respect to each other. Click a disabled alert type on the legend to re-enable it.
 
 **Alerts Timeline**
 
 This card displays a bar chart illustrating the number of alerts triggered for the period selected
-in the timeframe drop-down menu. Hover over a bar on the chart to view the exact number of alerts
+in the timeframe dropdown menu. Hover over a bar on the chart to view the exact number of alerts
 triggered on any specific date.
 
 **Alerts List**
@@ -85,20 +85,20 @@ information.
 
 ## Filter Data
 
-Multiple filters are available on this page to enable you to filter data as desired. You can apply
+Multiple filters are available on this page. You can apply
 one or more filters at a time.
 
-- Organizations – Select an organization from the Organizations drop-down menu to view its
+- Organizations – Select an organization from the Organizations dropdown menu to view its
   alert-related data.
-- Filter by Keyword – Type a search string (only alpha characters allowed) in the Filter by keyword
+- Filter by Keyword – Enter a search string (only alpha characters allowed) in the Filter by keyword
   field and press Enter. The Alerts list displays the data that matches the specified keyword.
-- Alert – Select an alert type from the Alert drop-down menu. The charts and the alerts list display
+- Alert – Select an alert type from the Alert dropdown menu. The charts and the alerts list display
   data specific to the selected alert type. By default, All is selected.
-- Item – Select an item from the Item drop-down menu. The charts and the alerts list display alert
+- Item – Select an item from the Item dropdown menu. The charts and the alerts list display alert
   data specific to the selected item. By default, All is selected.
-- Timeframe – Select a time period from the Timeframe drop-down menu. The charts and the listing on
+- Timeframe – Select a time period from the Timeframe dropdown menu. The charts and the listing on
   the page display data for the selected time period. For example, if you select 7 Days, the data
-  will reflect information for the past 7 days. By default, 30 Days is selected. Options are:
+  reflects information for the past 7 days. By default, 30 Days is selected. Options are:
 
     - 7 Days
     - 30 Days

@@ -20,19 +20,19 @@ You can view the following insights for an organization.
 
 ## Organization
 
-This drop-down displays the name of the organization. You can choose a different organization from
+This dropdown displays the name of the organization. You can choose a different organization from
 here to view the statistics for that Organization.
 
 ## Users
 
-This link displays the total number of users in the organization along with their percentage share
-with respect to the total number of users in the managed organizations (tenant) in 1Secure. Click
+The Users value displays the total number of users in the organization along with their percentage share
+relative to the total number of users in the managed organizations (tenant) in 1Secure. Click
 the value to navigate to the Billable Users page. See the
 [System Reports](/docs/1secure/admin/searchandreports/system.md) topic for additional information.
 
 ## Health Status
 
-This link displays the current health status of the organization, which can be: Healthy, Trial in
+The Health Status value displays the current health status of the organization, which can be: Healthy, Trial in
 Progress, New, Update Recommended, Needs Attention, Experiencing Issues, Offline, Disabled, Not
 Configured, and Pending Deletion. Click the health status to navigate to the configuration page of
 the organization.