claudemd vale dale

[jth-nw]

also fixed typo in images install path

[github-actions]

Auto-Fix Summary

16 issues fixed, 1 skipped across 1 files

Category	Fixes
Contractions	1
Substitutions	1
FirstPerson (rewrite)	1
FollowTheStepsTo (rewrite)	1
OxfordComma (rewrite)	1
Repetition (rewrite)	1
Dale: misplaced-modifiers	1
Dale: passive-voice	8
Dale: wordiness	1

Skipped (needs manual review)	Reason

| docs/threatmanager/3.1/install/upgrade/upgrade3.1.md:91 — Dale: passive-voice | 'because you have already created them' is an explanatory subordinate clause; rewriting risks changing the meaning of the conditional |

Ask @claude on this PR if you'd like an explanation of any fix.

[github-actions]

Auto-Fix Summary

18 issues fixed, 54 skipped across 198 files

Category	Fixes
Contractions	8
FirstPerson (rewrite)	1
OxfordComma (rewrite)	1
Dale: positional-references	7
Dale: wordiness	1

Skipped (needs manual review)	Reason

| docs/threatmanager/3.0/install/upgrade/upgrade2.8.md:116 — Dale: positional-references | 'Python 3.7 and below' refers to a version range, not document content |
| docs/threatmanager/3.1/install/upgrade/upgrade2.8.md:118 — Dale: positional-references | 'Python 3.7 and below' refers to a version range, not document content |
| docs/threatmanager/3.0/administration/overview.md:32 — Dale: positional-references | 'banner displays below the navigation header' describes actual UI layout, not a documentation reference |
| docs/threatmanager/3.1/administration/overview.md:32 — Dale: positional-references | 'banner displays below the navigation header' describes actual UI layout, not a documentation reference |
| docs/threatmanager/3.0/administration/threats/threatdetails/overview.md:29 — Dale: positional-references | 'box below the diagram' describes actual UI position, ambiguous to reword without changing meaning |
| docs/threatmanager/3.1/administration/threats/threatdetails/overview.md:29 — Dale: positional-references | 'box below the diagram' describes actual UI position, ambiguous to reword without changing meaning |
| docs/threatmanager/3.0/administration/threats/activedirectoryobjects/group.md:37 — Dale: positional-references | 'A key... appears below the chart' describes actual UI layout |
| docs/threatmanager/3.0/administration/threats/activedirectoryobjects/user.md:38 — Dale: positional-references | 'A key... appears below the chart' describes actual UI layout |
| docs/threatmanager/3.0/administration/threats/activedirectoryobjects/user.md:49 — Dale: positional-references | 'tables below the charts' describes actual UI layout |
| docs/threatmanager/3.0/administration/threats/entraidobjects/entraiduser.md:41 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.0/administration/threats/entraidobjects/entraiduser.md:52 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.0/administration/threats/entraidobjects/entraidgroup.md:40 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.1/administration/threats/threats.md:31 — Dale: positional-references | 'displays these threats in a list below the Historical Events section' describes actual UI layout |
| docs/threatmanager/3.1/administration/threats/threats.md:35 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.1/administration/threats/threats.md:48 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.1/administration/threats/activedirectoryobjects/host.md:40 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.1/administration/threats/activedirectoryobjects/group.md:37 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.1/administration/threats/activedirectoryobjects/user.md:38 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.1/administration/threats/activedirectoryobjects/user.md:49 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.1/administration/threats/entraidobjects/entraiduser.md:41 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.1/administration/threats/entraidobjects/entraiduser.md:52 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.1/administration/threats/entraidobjects/entraidgroup.md:40 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.0/administration/investigations/options/filters.md:258 — Dale: positional-references | 'options above the Filters section' describes actual UI layout |
| docs/threatmanager/3.1/administration/investigations/options/filters.md:257 — Dale: positional-references | 'options above the Filters section' describes actual UI layout |
| docs/threatmanager/3.0/administration/configuration/systemsettings/licensing.md:22 — Dale: positional-references | 'just below the navigation' describes actual UI layout |
| docs/threatmanager/3.1/administration/configuration/systemsettings/licensing.md:22 — Dale: positional-references | 'just below the navigation' describes actual UI layout |
| docs/threatmanager/3.0/administration/configuration/systemsettings/auditing.md:33 — Dale: positional-references | 'dropdown above the right corner of the table' describes actual UI position |
| docs/threatmanager/3.0/administration/configuration/systemsettings/auditing.md:34 — Dale: positional-references | 'search box above the left corner', 'buttons below the table' describe actual UI position |
| docs/threatmanager/3.1/administration/configuration/systemsettings/auditing.md:33 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.1/administration/configuration/systemsettings/auditing.md:34 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.0/administration/configuration/policies/honeytoken.md:55 — Dale: positional-references | 'the line below the last existing query filter' describes actual UI position |
| docs/threatmanager/3.0/administration/configuration/policies/honeytoken.md:84 — Dale: positional-references | 'blank line below the last filled in line' describes actual UI position |
| docs/threatmanager/3.1/administration/configuration/policies/honeytoken.md:61 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.1/administration/configuration/policies/honeytoken.md:93 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.0/administration/configuration/threatdetection/threatconfiguration.md:102 — Dale: positional-references | 'button below the' describes actual UI position |
| docs/threatmanager/3.1/administration/configuration/threatdetection/threatconfiguration.md:107 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.0/administration/configuration/systemhealth/services.md:35 — Dale: positional-references | 'displayed below the navigation header' describes actual UI layout |
| docs/threatmanager/3.1/administration/configuration/systemhealth/services.md:35 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.0/administration/configuration/systemhealth/agents.md:18 — Dale: positional-references | 'just below the navigation header' describes actual UI layout |
| docs/threatmanager/3.1/administration/configuration/systemhealth/agents.md:20 — Dale: positional-references | Describes actual UI layout |
| docs/threatmanager/3.0/administration/configuration/integrations/activedirectorysync.md:182 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.0/administration/configuration/integrations/activedirectorysync.md:183 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md:190 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md:191 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.0/administration/configuration/integrations/entraidsync.md:132 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.0/administration/configuration/integrations/entraidsync.md:133 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md:137 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md:138 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md:139 — Dale: positional-references | Describes actual UI position |
| docs/threatmanager/3.0/threats/activedirectory.md:92 — Dale: positional-references | 'staying below an organization's defined lockout threshold' refers to a numeric threshold, not a positional reference |
| docs/threatmanager/3.1/threats/activedirectory.md:92 — Dale: positional-references | 'staying below an organization's defined lockout threshold' refers to a numeric threshold |
| docs/threatmanager/3.1/administration/overview.md:47 — Dale: minimizing-difficulty | 'enables easy tracking' is borderline marketing language but rephrasing risks changing meaning of the overview's value proposition |
| docs/threatmanager/3.1/administration/overview.md:54 — Dale: minimizing-difficulty | 'find threats quickly' describes a feature benefit; ambiguous whether to remove without changing meaning |
| docs/threatmanager/3.1/administration/threats/threats.md:11 — Dale: minimizing-difficulty | 'find threats quickly' describes a feature benefit; ambiguous whether to remove |

Ask @claude on this PR if you'd like an explanation of any fix.

[github-actions]

Documentation PR Review

This PR is a large copy-edit pass across the Threat Manager 3.0 and 3.1 documentation (199 reviewable markdown files plus a new docs/threatmanager/CLAUDE.md). The bulk of the changes are well-motivated mechanical fixes — drop-down → dropdown, Prior to → Before, removing Follow the steps to... boilerplate, tightening passive constructions, and expanding underdefined acronyms (notably USN → Update Sequence Number (USN) in 3.1). The findings below focus on issues introduced or surviving in the added lines.

Editorial Review

Cross-cutting: orphan fragment lines in Threat Manager 3.0

A search-and-replace appears to have stripped the leading clause Follow the steps to without removing the dependent fragment that followed it. The result is ~25 broken lines that begin with a leading space and a lowercase verb (e.g., install the application., add a playbook.). 3.1 fixed the same pattern by promoting these to a To <verb>: colon-introducer. Apply the same fix to 3.0.

Affected 3.0 files and lines:

• docs/threatmanager/3.0/install/application.md — Line 11: install the application.
• docs/threatmanager/3.0/install/database.md — Line 11: install the PostgreSQL database application.
• docs/threatmanager/3.0/install/actionservice.md — Lines 15, 44, 90
• docs/threatmanager/3.0/install/overview.md — Line 85
• docs/threatmanager/3.0/install/secure.md — Line 36
• docs/threatmanager/3.0/install/integration/accessanalyzer.md — Line 23
• docs/threatmanager/3.0/install/integration/threatprevention/threatmanagerconfiguration.md — Lines 28, 95, 130
• docs/threatmanager/3.0/administration/configuration/systemsettings/useraccess.md — Lines 159, 187, 206
• docs/threatmanager/3.0/administration/investigations/options/edit.md — Lines 13, 36
• docs/threatmanager/3.0/administration/investigations/options/filters.md — Line 71
• docs/threatmanager/3.0/administration/investigations/options/subscription.md — Line 24
• docs/threatmanager/3.0/administration/investigations/subscriptionsexports.md — Line 64
• docs/threatmanager/3.0/administration/playbooks/editstep.md — Lines 9, 23
• docs/threatmanager/3.0/administration/playbooks/export.md — Line 11
• docs/threatmanager/3.0/administration/playbooks/import.md — Line 13
• docs/threatmanager/3.0/administration/playbooks/importsteps.md — Line 13
• docs/threatmanager/3.0/administration/playbooks/overview.md — Line 27
• docs/threatmanager/3.0/administration/playbooks/save.md — Line 11
• docs/threatmanager/3.0/administration/playbooks/trigger.md — Line 11
• docs/threatmanager/3.0/administration/threats/activedirectoryobjects/activedirectoryobjects.md — Line 79
• docs/threatmanager/3.0/administration/threats/entraidobjects/entraidobjects.md — Line 78
• docs/threatmanager/3.0/administration/threats/threats.md — Line 135
• docs/threatmanager/3.0/install/upgrade/upgrade2.8.md, upgrade3.0.md, docs/threatmanager/3.0/threats/custom.md — same pattern

Suggested fix for each: replace the orphan fragment with a To <verb the rest of the sentence>: introducer that ends with a colon, mirroring the 3.1 pattern.

---

docs/threatmanager/3.0/administration/investigations/options/filters.md

• Clarity — Line 208: Navigate to the investigation you want's Filters section. The contraction-style possessive on a clause (you want's) is ungrammatical. Suggested fix: Navigate to the Filters section of the investigation you want to modify.
• Clarity — Line 218: If multiple data sources are configure, select a source from the **Source** dropdown menu. Missing -d on the participle. Suggested fix: are configured.
• Clarity — Line 256: After the filter is set, you can generate the report ad hoc by clicking **Run Query**. The allows you to test if your filter statement is working as desired. The allows you is broken — the antecedent is missing. Suggested fix: Running the query lets you test whether your filter statement works as expected.

docs/threatmanager/3.0/administration/playbooks/overview.md

• Completeness — Line 113: This allows a (Undefined variable: SD.Product Short Name) administrator to sequence a series of playbooks together as part of... A documentation template variable has leaked unresolved into the page text. Suggested fix: replace (Undefined variable: SD.Product Short Name) with Threat Manager.

docs/threatmanager/3.0/administration/configuration/integrations/page/openid/entraidopenid.md (and the parallel 3.1 file)

• Clarity — Line 43 (3.0) / Line 45 (3.1): the Select a plateform dropdown. Typo — plateform should be platform. Same typo exists in both versions.
• Clarity — Line 160 (3.0) / Line 165 (3.1): In case the Microsoft Entra ID OpenID Connect configurations don't work and an error is displayed, ... The In case the construction is awkward and not standard for conditional sequences. Suggested fix: If the Microsoft Entra ID OpenID Connect configuration doesn't work and an error appears, ...
• Clarity — Line 195 (3.0) / Line 200 (3.1): Check that the field from the claims setting exist and has the value. Subject–verb agreement: the field ... exist should be the field ... exists. Also If claims don't exist uses a typographic curly apostrophe (’) rather than a straight one ('); use straight apostrophes per Netwrix style. Suggested fix: Check that the field from the claims setting exists and has the expected value. If claims don't exist, check the claims configuration in Microsoft Entra ID.

docs/threatmanager/3.0/administration/configuration/integrations/activedirectorysync.md

• Clarity — Line 24: domains. It evaluates the USN value of an object and syncs when the object changes. USN is not defined on first use. The 3.1 version of the same file already fixes this by spelling it out. Suggested fix: align with 3.1 — evaluates the Update Sequence Number (USN) of an object.

docs/threatmanager/3.1/administration/configuration/integrations/activedirectorysync.md

• Clarity — Line 86: If successful, move on to the next step. If failed, recheck your entries for error and repeat this step. This still carries the wordy/awkward phrasing that the 3.0 version was rewritten to fix in this PR — the two versions have drifted apart on the same step. Suggested fix: align with the 3.0 wording — If the connection fails, check your entries for errors and repeat this step.

docs/threatmanager/3.1/administration/configuration/integrations/entraidsync.md

• Clarity — Line 10–11: the application is configured to sync.See the\n[Application Permissions for Entra ID Sync](...)topic Missing space after sync. and missing space between the link and topic. Suggested fix: insert spaces: ... configured to sync. See the [Application Permissions for Entra ID Sync](...) topic ...

docs/threatmanager/3.0/administration/investigations/options/export.md and docs/threatmanager/3.0/administration/investigations/options/subscription.md (and 3.1 equivalents)

• Clarity — export.md Line 80 (3.0) / Line 81 (3.1) and subscription.md Line 16 (both versions): This option requires a shared folder to be configured.If this requirement isn't met, ... / ... an email server to be configured.If this requirement isn't met, ... Missing space after the period in all four locations. Suggested fix: insert a space before If.

docs/threatmanager/3.1/install/secure.md

• Structure — Lines 84 and 136: **Step 7 –** Restart the Web Service. and **Step 7 –** Check the Active Directory Service Log File ... Two consecutive spaces after the em-dash, breaking the consistent **Step N –** cadence used in surrounding steps. Suggested fix: collapse to a single space.

docs/threatmanager/3.1/administration/configuration/threatdetection/threatconfiguration.md

• Clarity — Line 142: **Step 7 –** Click Saveto save the exclusion details. Click **Cancel** to close the modal and ... Missing space between Save and to, and Save should be in bold to match the formatting convention used for UI elements elsewhere in the same file. Suggested fix: Click **Save** to save the exclusion details.

docs/threatmanager/3.0/install/application.md (and 3.1 equivalent)

• Clarity — Line 36 (3.0) / Line 38 (3.1) and database.md Line 35 (3.0): Read the End User License Agreement and select the I accept the license agreement checkbox. Wrapping the UI label in code-style backticks here is inconsistent with how other UI labels in the same file (Next, Browse, Test, OK) are styled with bold. Suggested fix: select the **I accept the license agreement** checkbox for consistency. Per Netwrix style, use bold for UI element names; reserve backticks for paths, commands, or literal code.

docs/threatmanager/3.0/threats/activedirectory.md vs docs/threatmanager/3.1/threats/activedirectory.md

• Consistency — Line 17: 3.0 retains 'Don't require Kerberos pre-authentication' (single straight quotes around the property name) while 3.1 uses "Don't require Kerberos pre-authentication" (double quotes). Pick one and apply it to both. Doublequotes around UI/property names are more common across this docset.

docs/threatmanager/3.0/administration/configuration/systemsettings/useraccess.md

• Clarity — Line 34: - Users & Groups – It lets you allow or deny console access and configure ... and Line 38: - Settings – It lets you customize the user login page ... The pronoun It after an em-dash creates a run-on feel for a definition list item. Suggested fix: drop It and start the description with the verb: - Users & Groups – Lets you allow or deny console access ...

docs/threatmanager/3.0 and 3.1 home.md

• Clarity — Line 22 (both): Number of instances of activity that aren't necessarily threats, but should be monitored. The passive should be monitored leaves the actor implicit. Suggested fix: Number of activity instances that aren't necessarily threats but warrant monitoring.

docs/threatmanager/CLAUDE.md (new file)

• No editorial issues found. Clear, well-structured guidance.

---

Files checked with no editorial issues to flag — the remaining ~170 reviewable markdown files in this PR were screened for the issue patterns above (broken sentences, undefined acronyms, version drift, missing spaces, leaked template variables, awkward conditionals, and idioms) and came back clean. They primarily contain mechanical edits (drop-down → dropdown, Prior to → Before, contractions, removing Follow the steps to ...) that the Vale and Dale autofix passes complement well.

Summary

~50 editorial suggestions across ~30 files, most of which are concentrated in two patterns: (1) orphan fragment lines in Threat Manager 3.0 left over from the Follow the steps to ... removal, and (2) version drift between 3.0 and 3.1 where the same content was edited differently. Vale and Dale issues are auto-fixed separately.

---

What to do next:

Comment @claude on this PR followed by your instructions to get help:

• @claude fix all issues — fix all editorial issues
• @claude fix the orphan fragment lines in 3.0 — target the most common pattern
• @claude help improve the flow of this document — get writing assistance
• @claude explain the voice issues — understand why something was flagged

You can ask Claude anything about the review or about Netwrix writing standards.

Automated fixes are only available for branches in this repository, not forks.

[github-actions]

Auto-Fix Summary

8 issues fixed, 13 skipped across 198 files

Category	Fixes
OxfordComma (rewrite)	1
Dale: minimizing-difficulty	3
Dale: wordiness	4

Skipped (needs manual review)	Reason

| docs/threatmanager/3.0/install/secure.md:172 — Dale: exclamatory-sentences | 'Success!' is quoted program output, not an authored exclamatory sentence |
| docs/threatmanager/3.0/install/actionservice.md:69 — Dale: exclamatory-sentences | 'Success!' is quoted program output, not an authored exclamatory sentence |
| docs/threatmanager/3.1/install/secure.md:171 — Dale: exclamatory-sentences | 'Success!' is quoted program output, not an authored exclamatory sentence |
| docs/threatmanager/3.1/install/actionservice.md:70 — Dale: exclamatory-sentences | 'Success!' is quoted program output, not an authored exclamatory sentence |
| docs/threatmanager/3.0/administration/configuration/systemsettings/licensing.md:22 — Dale: misplaced-modifiers | 'displays, located just below the navigation header' is awkward but unambiguous; rewrite would change UI layout description and tone |
| docs/threatmanager/3.1/administration/configuration/systemsettings/licensing.md:22 — Dale: misplaced-modifiers | Same as 3.0 version — awkward but unambiguous UI description |
| docs/threatmanager/3.1/index.md:27 — Dale: negative-assumptions | Marketing intro framing ('Organizations find it impossible') — rewriting would significantly change tone of marketing copy |
| docs/threatmanager/3.0/administration/threats/threatdetails/overview.md:115 — Dale: passive-voice | 'was prevented by a security measure' — actor is meaningful and passive describes a state outcome; rewrite could change emphasis |
| docs/threatmanager/3.0/administration/playbooks/action/thirdparty.md:130 — Dale: passive-voice | 'Webhooks are used by a...' — describes typical use case where actor is meaningful; safe rewrite ambiguous |
| docs/threatmanager/3.0/install/application.md:85 — Dale: passive-voice | 'both components have been installed' — state-of-completion phrasing in step instructions; rewrite could shift step semantics |
| docs/threatmanager/3.1/install/upgrade/upgrade.md:26 — Dale: passive-voice | 'it is recommended to upgrade' in a note block — common note phrasing; alternative ('Netwrix recommends') changes tone |
| docs/threatmanager/3.0/index.md:16 — Dale: wordiness | 'a wide variety of SIEM platforms' — phrase intentionally emphasizes breadth; replacing with 'many' loses meaning |
| docs/threatmanager/3.0/threats/activedirectory.md:50 — Dale: wordiness | 'more privileges than they actually have' — 'actually' provides meaningful contrast between forged and real privileges |

Ask @claude on this PR if you'd like an explanation of any fix.