Netwrix Threat Manager 3.2 GA docs

[nwx-david-wolff]

No description provided.

[github-actions]

Documentation PR Review

This PR adds new Threat Manager 3.2 documentation (~100 new markdown files) and applies small fixes to 3.0/3.1 ports.md. Findings below focus on Structure, Clarity, and Completeness issues that Vale/Dale won't catch.

Cross-cutting concerns (apply to many 3.2 files)

• Stale image paths. Virtually every new 3.2 doc references images at /images/threatmanager/3.0/... (and a smaller number at /images/threatprevention/7.5/... or /images/activitymonitor/8.0/...). Examples are too many to list per-file — flag a one-time audit to decide whether image reuse is intentional or whether 3.2-specific assets are needed. UI elements like the Entra ID portal and PostgreSQL setup screens likely differ in 3.2.
• Misspelled directory intsall/ — static/images/threatmanager/3.2/intsall/upgrade/*.webp is misspelled (should be install/). Files in install/upgrade/upgrade3.2.md reference this typo path (lines 9267, 9271, 9275, 9302, 9306, 9311, 9319, 9334, 9340, 9344). Rename the static folder and update references.
• In-page references treated as separate topics. Many files say "See the X topic" when X is an H2/H3 section on the same page (e.g., "Domain Configuration Tab topic," "Edit Profile topic," "Sync History Tab topic"). Replace with anchor links or "section below."
• .NET version inconsistency. install/overview.md (line 8887–8889) requires .NET 10; requirements/actionservice.md, requirements/database.md, and requirements/server.md all say .NET 8.0.11. Reconcile.
• PostgreSQL versioning gap. Requirements docs only mention PostgreSQL 14; install supports both 14 and 18. Update Requirements to mention both.
• Procedure step numbering bugs. Multiple files have procedure sections that don't reset to Step 1 — they continue numbering from the previous procedure. Real bugs, listed per file below.

---

Editorial Review

docs/threatmanager/3.0/requirements/ports.md and docs/threatmanager/3.1/requirements/ports.md

• Clarity — Lines 18, 20 (3.0) and 84, 86 (3.1): "agent host(s)" and "Console Host(s)" use the (s) parenthetical instead of plain plurals. The prior "agent hosts"/"Console hosts" was clearer. Suggested fix: revert to plural form "agent hosts" / "Console hosts."
• Completeness — Lines 22–31 (3.0) and 74–83 (3.1): The entire "Application Services Firewall Rules" section (TCP 55555/55556/55557 plus dynamically configured port) was removed. If those ports are no longer required, fine — but if they are still in use, this is a regression. Confirm and document the rationale.
• Completeness — Line 49 (3.0) and 103 (3.1): Removed TCP 636 SSL LDAP. 3.0 already had TCP 9389 so the removal is net negative; 3.1 swaps in TCP 9389. The two versions are now inconsistent. If LDAPS support was dropped, document why.

docs/threatmanager/3.2/administration/configuration/integrations/activedirectorysync.md

• Structure — Line 263 (Step 7): "Active Directory Sync Policy Details" begins at Step 7 instead of Step 1. Numbering continues from the prior procedure. Suggested fix: renumber to Step 1.
• Clarity — Lines 283–284: References "Domain Configuration Tab topic" and "Sync History Tab topic" — both are H3 sections on this same page. Suggested fix: use anchor links.
• Completeness — Line 365: "Modify" procedure Step 1 lists policies but never tells the reader to select one before Step 2 ("The Domain Configuration tab opens"). Suggested fix: insert a "Select the desired domain" step.

docs/threatmanager/3.2/administration/configuration/integrations/apptoken.md

• Clarity — Line 420: Two adjacent sentences start "An app token is used by..." with different purposes. Suggested fix: combine into one sentence that differentiates Activity Monitor and Access Analyzer use cases.

docs/threatmanager/3.2/administration/configuration/integrations/credentialprofile.md

• Clarity — Line 559: References "Edit Profile topic" etc. — same in-page anchor issue.
• Clarity — Line 626: "Credential stacking is when you add multiple credentials to a single profile" — defines the term after already using it. Lead with the definition.

docs/threatmanager/3.2/administration/configuration/integrations/entraidsync.md

• Structure — Lines 857, 884: "Tenant Configuration Tab" and "Sync History Tab" are H2; should be H3 under "Entra ID Sync Policy Details" (parallel to the AD sync page).
• Clarity — Line 848: "Delete Domain window" — should be "Delete Tenant window" (leaked from AD sync page).
• Clarity — Line 935: "force the next sync to run a full scan of the domain" — should be "tenant" in Entra ID context.

docs/threatmanager/3.2/administration/configuration/integrations/foldersettings.md

• Completeness — Line 1041: "Add a Shared Folder" ends after Step 5 ("Click Add") with no statement about where the new entry appears or how to verify success.

docs/threatmanager/3.2/administration/configuration/integrations/netwrixintegrations.md

• Structure — Line 1140: "Netwrix Integration Details" procedure starts at Step 6 instead of Step 1. Renumber.
• Clarity — Line 1157: "Delete Stealthbits Integration window" — stale product naming. Confirm vs. current UI and update.
• Clarity — Line 1244: "modify the Credential Profile for a domain" — should be "for an integration."

docs/threatmanager/3.2/administration/configuration/integrations/overview.md

• Structure — Line 1300: The Overview page description appears at the bottom after the navigation list. Move it above the list so readers know what page they're on first.

docs/threatmanager/3.2/administration/configuration/integrations/page/openid/entraidopenid.md

• Completeness — Line 1356: "Full Netwrix Threat Manager version 3.0.473+ or RO 3.0.90+" — version floor likely stale for a 3.2 doc, and "RO" is undefined.
• Clarity — Line 1380: Placeholder uses "MyProduct" — replace with a Threat Manager–specific example.
• Clarity — Line 1476: Heading reads "Users/Group Tab" — should be "Users/Groups Tab" to match the other auth-provider pages.

docs/threatmanager/3.2/administration/configuration/integrations/page/page.md

• Clarity — Line 1650: Refers to a "Credential Profile drop-down" — should be "Authentication Provider drop-down." Real bug.

docs/threatmanager/3.2/administration/configuration/integrations/page/saml.md

• Structure — Line 1837: Prerequisites appear as bolded inline text rather than a heading, breaking the overview→prerequisites→procedures order.

docs/threatmanager/3.2/administration/configuration/integrations/siem.md

• Completeness — Line 1918 (Step 1): No gear-icon navigation step (other Integrations files include one).
• Clarity — Line 2074: "Click Send Test Message to send a test email" — SIEM is not email-based; should be "test syslog message."

docs/threatmanager/3.2/administration/configuration/integrations/tagmanagement.md

• Structure — Line 2159: "Tag Details Page" procedure starts at Step 6. Renumber to Step 1.
• Clarity — Lines 2162, 2210, 2233: "Tag Managemetn" typo (three places).
• Clarity — Line 2222: "Click the arrow ()" — empty parentheses where the arrow glyph belongs.

docs/threatmanager/3.2/administration/configuration/policies/honeytoken.md

• Structure — Lines 2357 (Step 4), 2391 (Step 9): Procedure sections continue numbering from previous procedures instead of restarting at Step 1.
• Clarity — Line 2385: ":::note LDAP Monitoring is not enabled, it must be enabled in the Monitored Domains tab. :::" — sentence fragment / ambiguous. Suggested fix: "If LDAP Monitoring is not enabled, enable it on the Monitored Domains tab."
• Completeness — Line 2316: Opens by referring to "Honeytoken threats" without defining what a Honeytoken is (definition is over in policies/overview.md). Add a one-line definition.

docs/threatmanager/3.2/administration/configuration/policies/policiesconfiguration.md

• Clarity — Lines 2515–2520: "Tabs" list omits "Deployment Status Window," which has its own H2 later. Either include it or merge under the Deployment tab.

docs/threatmanager/3.2/administration/configuration/systemhealth/agents.md

• Completeness — Lines 2750–2754: Mentions Decommission and offline mode but doesn't explain whether/how a decommissioned agent rejoins.

docs/threatmanager/3.2/administration/configuration/systemsettings/licensing.md

• Structure — Lines 2971–2977: Step 1 says clicking Browse opens the "Add New Integration window" — likely should be a File Explorer (Step 2 references one). Verify.

docs/threatmanager/3.2/administration/configuration/systemsettings/useraccess.md

• Completeness — Lines 3200–3244: Roles list uses different formatting for different roles ("Response Managers" lacks the bulleted sub-list that "Report Administrator" has). Apply parallel structure.
• Clarity — Lines 3220, 3231–3232, 3242, 3223: "Playgroups" should be "Playbooks"; "exiting" should be "existing."
• Clarity — Line 3324: Step says "click the gear icon" but the column description (line 3193) calls this the Change Password icon. Reconcile.

docs/threatmanager/3.2/administration/configuration/threatdetection/threatconfiguration.md

• Structure — Lines 3400, 3473, 3533: Page goes H1 → H3 with no H2 between. Add an H2 parent or promote H3 tab sections to H2.

docs/threatmanager/3.2/administration/configuration/threatdetection/threatdetection.md

• Structure — Line 3592: The Threats list ends with "Threat Detection Page" as a bullet — looks like a placeholder / accidental duplicate of the page title. Remove or replace with the intended link.

docs/threatmanager/3.2/administration/home.md

• Clarity — Line 3758: "The bar graph displays the number of active users in 1-hour increments." appears for both Active Users and Active Hosts (copy-paste error in the Active Hosts bullet).
• Clarity — Line 3760: "the past 24 in 1-hour increments" — missing "hours."

docs/threatmanager/3.2/administration/investigations/auditcompliance.md

• Clarity — Line 3819: "The Audit and Compliance page in the Investigations interface list of saved…" — missing verb. Suggested fix: "...interface provides a list of..."

docs/threatmanager/3.2/administration/investigations/newinvestigation.md

• Completeness — Line 3982: Note restricts Save to "Administrator or Response Managers," but useraccess.md shows Administrator and Report Administrator also have create/edit access. Reconcile.

docs/threatmanager/3.2/administration/investigations/options/export.md

• Structure — Line 4191: Section heading is "Scheduled Export" but procedure references "Schedule export" window. Standardize capitalization.

docs/threatmanager/3.2/administration/investigations/options/filters.md

• Completeness — Lines 4276–4279: References "Timeframe topic," "Filter Attribute Menu topic," etc. as if separate pages, but they're H2 sections on the same page. Use anchor links.

docs/threatmanager/3.2/administration/investigations/options/subscription.md

• Clarity — Line 4629: "This field opens a calender" — should be "calendar." Step 5 Time row reads "type a date in the field" but it's a Time field — should read "time."

docs/threatmanager/3.2/administration/investigations/predefinedinvestigations.md

• Completeness — Lines 4760–4762: "Applications Folder" table has two rows titled "Applications Deleted" and all three descriptions reference "Application is added." Looks like copy-paste error across add/delete/update operations.
• Clarity — Lines 4798–4815: "iNetOrgPeson" should be "iNetOrgPerson"; "Memeber" should be "Member."

docs/threatmanager/3.2/administration/investigations/reports.md

• Clarity — Lines 4848–4854: Refers to "Events Details Section topic" etc. — these are H2 sections on the page. Use anchor links.
• Clarity — Line 4913: "Click the arrow ()" — empty parentheses where the icon should be.

docs/threatmanager/3.2/administration/overview.md

• Clarity — Line 5099: "Help – Accesses help" — circular. Suggested fix: "Help – Opens the Threat Manager documentation."

docs/threatmanager/3.2/administration/playbooks/action/entraid.md

• Structure — Section order interleaves lifecycle actions oddly ("Flag Compromised" appears between Group Membership and Disable). Consider lifecycle ordering (Disable → Reset Password → Flag → Group Membership) or alphabetical.

docs/threatmanager/3.2/administration/playbooks/action/localhost.md

• Clarity — Lines 5453–5455: PowerShell example mixes bold text and backticks; not a fenced code block. Suggested fix: use a fenced ```powershell block.
• Completeness — Lines 5459–5465: "Send Email" section lists no sender / credential. Confirm config inheritance and add a pointer.

docs/threatmanager/3.2/administration/playbooks/action/tag.md

• Structure — Lines 5557, 5568: Headings use H3 while sibling action pages use H2.
• Clarity — Lines 5574–5578: "Manage Blocking Policy" describes "Users – The users to have their RDP Session ended." Copy-paste error from End User Session.

docs/threatmanager/3.2/administration/playbooks/action/windowsfileserver.md

• Completeness — Lines 5750–5759: "Delete File" lists only Credential. Likely missing File / Target inputs.

docs/threatmanager/3.2/administration/playbooks/overview.md

• Structure — Lines 6131, 6133: "Logs Tab" and "Step Details Tab" are H2 — should be H3 nested under "Action Log Window."

docs/threatmanager/3.2/administration/serviceaccounts.md

• Clarity — Line 6236: "dMSA, gMSA, and sMSA — Group / Delegated / Standalone Managed Service Account" — order doesn't match the abbreviations, and lines 6273–6276 later define dMSA as "Domain Managed Service Account" instead. Reconcile.
• Completeness — Lines 6286–6291: Password Age icon table mentions 180+ band only; missing icons/tooltips for 0–89 and 90–179.

docs/threatmanager/3.2/administration/threats/activedirectoryobjects/group.md

• Clarity — Line 6510: "The Membership tab…" — section is the Members tab. Reconcile.
• Completeness — Lines 6512–6516: "All Members" sub-row claims it has "Domain Admins, Domain Guests" tables. Those are specific groups, not generic "All Members" categories. Looks like screenshot description leakage.

docs/threatmanager/3.2/administration/threats/entraidobjects/entraidapplication.md

• Clarity — Lines 6816, 7254: "Tags - The tags associated with the group Image" — trailing "Image" looks like a stray caption.
• Structure — Lines 6823–6825: Same image inserted twice; one should be the active assignments image.
• Clarity — Line 6829: "Eligible Assignments – Lists the roles that the user is eligible for" — should say "application" not "user" on the Application Details Page.

docs/threatmanager/3.2/administration/threats/entraidobjects/entraidgroup.md

• Clarity — Line 6896: "The Threats tab for a user displays…" — this is the Group Details page; should reference "the group."
• Clarity — Line 6936: "[Group Details Page] topic for additional information" — unlinked bracketed text. Add the link URL.

docs/threatmanager/3.2/administration/threats/threatdetails/overview.md

• Clarity — Line 7394: "designate the playbook to response to the threat" — should be "respond."
• Structure — Line 7436: Last paragraph about "Threat Activity Diagram" lives inside the Workflow Window section. Move under the Threat Activity diagram description (~line 7378).

docs/threatmanager/3.2/administration/threats/threats.md

• Structure — Lines 7635–7665: "Host," "User," "Status," "Assignee" are bolded paragraphs, while sibling "Type," "Level," "Tags" are H3. Convert to H3 for parallel structure.

docs/threatmanager/3.2/administration/troubleshooting/log.md

• Clarity — Line 7743: Path references legacy "Stealthbits/StealthDEFEND" branding. Confirm the 3.2 path or update.
• Completeness — Section doesn't explain how to change logging level (referenced in intro at 7738).

docs/threatmanager/3.2/index.md

• Clarity — Line 7941–7942: "integrate with you own business processes" — should be "your."
• Completeness — "Supported Platforms" doesn't include Certificate Services or Custom Threats, both of which have docs in this PR.

docs/threatmanager/3.2/install/actionservice.md

• Completeness — Line 8056: <StealthDEFENDDirectory> placeholder used without first telling the reader what to substitute.

docs/threatmanager/3.2/install/database.md

• Structure — Lines 8266, 8271, 8280: Image paths point to /images/activitymonitor/8.0/… and /images/threatprevention/7.5/… (wrong products).
• Clarity — Lines 8275–8276: "PostgresSQL14" misspelled — should be "PostgreSQL 14."

docs/threatmanager/3.2/install/firstlaunch/firstlaunch.md

• Clarity — Lines 8391, 8393, 8395: "Bultin," "buildtin," "built-in" — inconsistent. Standardize on "built-in."
• Completeness — Step at line 8400: "Register the MFA authenticator. The Register Authenticator prompt will provide instructions…" — doesn't tell the user what concrete action to take (scan QR? enter secret?).

docs/threatmanager/3.2/install/firstlaunch/login.md

• Clarity — Line 8431: Mentions "default credentials" but the user just set their own password in the previous step. Reword.

docs/threatmanager/3.2/install/integration/accessanalyzer.md

• Structure — Line 8464: Missing sidebar_position frontmatter (other integration files have one).
• Clarity — Line 8503: "Click the +Add button" — other docs use Add with bold. Standardize.

docs/threatmanager/3.2/install/integration/threatprevention/threatmanagerconfiguration.md

• Clarity — Lines 8708–8711: Continuation paragraph under "State" runs into the next bullet without a break. Split into a sub-bullet or admonition.

docs/threatmanager/3.2/install/overview.md

• Completeness — Line 8864: "PostgreSQL 14 will become End-of-Life on November, 2026" — upgrade_pg14_to_pg18.md says November 12, 2026. Reconcile.

docs/threatmanager/3.2/install/upgrade/upgrade.md

• Completeness — No backup warning before the upgrade procedure. Add a :::warning recommending a database backup.
• Structure — "Stop services" appears in upgrade.md but neither upgrade3.2.md nor upgrade_pg14_to_pg18.md references it. Cross-reference, and document the service restart step in the upgrade procedures.

docs/threatmanager/3.2/install/upgrade/upgrade3.2.md

• Structure (bug) — All image paths use the misspelled intsall/ directory (lines 9267, 9271, 9275, 9302, 9306, 9311, 9319, 9334, 9340, 9344). Rename and update.
• Structure (bug) — Steps 2 and 3 (lines 9269, 9273) are duplicates — both say "Click PostgreSQL Setup…" Remove the duplicate.
• Completeness — No prerequisite block (backup, stopped services) — add before Step 1.
• Clarity — Lines 9289–9291: PostgreSQL14 directory bullets fall outside the :::note block because the closing ::: is on line 9288. Move closing ::: after the bullets.
• Completeness — Step 8 mentions "AD and Entra PowerShell modules" with no prior context. Add a one-line explanation.

docs/threatmanager/3.2/install/upgrade/upgrade_pg14_to_pg18.md

• Completeness — No prerequisite section. Move free-disk-space / backup / services-stop / expected-downtime ahead of the procedure (currently buried in the FAQ).
• Clarity — Lines 9398, 9410: "Run PostgreSQL 14 Setup" / "Run Netwrix Threat Manager Setup" — those are button labels, not commands. Rephrase to "On the Netwrix Setup Launcher, click …."
• Clarity — Line 9440: "You will see this warning, it is safe to Install Again" — references the warning before showing the image; comma splice.
• Completeness — Step 4 lists "PG Tools Directory" with no default value guidance.
• Structure — FAQ at line 9567+ mixes prerequisites (disk space) with troubleshooting. Promote disk-space guidance.
• Clarity — Lines 9622–9625: "Reduce Source Database Size" paragraph appears without its own Q&A header. Prefix with a question.
• Clarity — Lines 9636–9640, 9652–9656: Admonition indented inside numbered list — verify rendering in Docusaurus.

docs/threatmanager/3.2/requirements/permissions/adsync.md

• Structure — Lines 9886–9887: "See the [Entra ID Sync Page]" link in a doc about Active Directory permissions. Wrong link target — should be the Active Directory Sync Page.

docs/threatmanager/3.2/requirements/permissions/entraidsync.md

• Structure — Lines 9914–9918: Mirror bug — link target is the Active Directory Sync Page in an Entra ID doc.

docs/threatmanager/3.2/requirements/ports.md

• Completeness — Line 9998: Database row Direction is "Outbound" but description reads "from the PostgreSQL to the Threat Manager server" — that's inbound to the server. Direction and description are inconsistent.
• Completeness — Note that during the PG14→PG18 migration both 5435 and 5439 are active simultaneously.

docs/threatmanager/3.2/requirements/server.md

• Completeness — Lists "ESX 4.0 / ESXi™ 4.1 or higher" — versions from 2009/2010. Verify current minimum.

docs/threatmanager/3.2/threats/activedirectory.md

• Clarity — Line 10184: "The following threats are monitored for Active Directory. definition of each threat is given below." — second sentence starts lowercase and is missing an article. Suggested fix: "A definition of each threat is given below."
• Structure — Most threats use paragraph format, but "Forged Ticket" (line 10225) uses a Definition:/Trigger: format. Standardize.

docs/threatmanager/3.2/threats/certificateservices.md

• Structure — Certificate Services threats are not referenced from index.md or threats/overview.md. Add to both.

docs/threatmanager/3.2/threats/custom.md

• Clarity — [idiom] Line 10379: "In additional to pre-configured threats" — should be "In addition to" (idiom mis-spelled).
• Completeness — Line 10446: "Group By Perpetrator" toggle — would benefit from an example showing how grouping changes outcomes.

docs/threatmanager/3.2/threats/entraid.md

• Clarity — Line 10516: Heading "New Applicaton Credentials" misspelled.
• Clarity — Line 10527: Section heading is "Sensitive Role Changes" (plural) but body says "Sensitive Role Change is assigning a privilege role." Reconcile.
• Clarity — Line 10513: "logs in from a New York city" — extra "a."

docs/threatmanager/3.2/threats/general.md

• Structure — Line 10616: Heading "Abnormal User Behavior" doesn't match the threat-table title "Abnormal Behavior."
• Completeness — Line 10620: Trigger column is one long inline list — reformat as a sub-list.

docs/threatmanager/3.2/threats/overview.md

• Completeness — Lists 5 threat categories but omits Certificate Services Threats (which has its own page).

Summary

~120 editorial suggestions across ~60 files. The most impactful items: misspelled intsall/ image directory, procedure step-numbering bugs in several procedures, the useraccess.md "Playgroups"/"exiting" typos and inconsistent role formatting, the duplicated Step 2/3 in upgrade3.2.md, mismatched permission links between adsync.md and entraidsync.md, and the .NET version mismatch across install/requirements docs. Vale and Dale issues are auto-fixed separately.

---

What to do next:

Comment @claude on this PR followed by your instructions to get help:

• @claude fix all issues — fix all editorial issues
• @claude help improve the flow of this document — get writing assistance
• @claude explain the voice issues — understand why something was flagged

You can ask Claude anything about the review or about Netwrix writing standards.

Automated fixes are only available for branches in this repository, not forks.

[github-actions]

Auto-Fix Summary

572 issues fixed, 23 skipped across 114 files

Category	Fixes
Contractions	80
Plurals	21
Removed filler	25
Spacing	3
Substitutions	173
AllowsYouTo (rewrite)	16
CanBeUsedTo (rewrite)	11
CarriedOut (rewrite)	1
DesiredAsAdjective (rewrite)	39
Dropdown (rewrite)	2
FirstPerson (rewrite)	6
FirstPersonPlural (rewrite)	1
FollowTheStepsTo (rewrite)	69
FormalHedging (rewrite)	13
Idioms (rewrite)	16
ImpersonalFiller (rewrite)	1
NoteThat (rewrite)	1
OnceUsage (rewrite)	6
OxfordComma (rewrite)	9
Please (rewrite)	1
Repetition (rewrite)	6
TypeVsEnter (rewrite)	4
WeakLinkText (rewrite)	1
WhetherOrNot (rewrite)	9
Dale: idioms	2
Dale: minimizing-difficulty	2
Dale: passive-voice	43
Dale: positional-references	7
Dale: wordiness	4

Skipped (needs manual review)	Reason
docs/threatmanager/3.2/administration/serviceaccounts.md:61 — Netwrix.Contractions	'Not vulnerable' is a UI/status label in this context (account is Not vulnerable); changing to 'isn't' would lose the labelled status
docs/threatmanager/3.2/install/application.md:38 — Netwrix.FirstPerson	'I accept the license agreement' is the literal UI checkbox label - changing it would not match the UI
docs/threatmanager/3.2/install/database.md:37 — Netwrix.FirstPerson	'I accept the license agreement' is the literal UI checkbox label - changing it would not match the UI
docs/threatmanager/3.2/install/upgrade/upgrade3.2.md:37 — Netwrix.FirstPerson	'I accept the license agreement' is the literal UI checkbox label - changing it would not match the UI
docs/threatmanager/3.2/requirements/actionservice.md:25 — Netwrix.FirstPersonPlural	'US' refers to United States in 'US English language installation' - false positive of rule looking for 'us'
docs/threatmanager/3.2/requirements/database.md:23 — Netwrix.FirstPersonPlural	'US' refers to United States in 'US English language installation' - false positive of rule looking for 'us'
docs/threatmanager/3.2/requirements/server.md:24 — Netwrix.FirstPersonPlural	'US' refers to United States in 'US English language installation' - false positive of rule looking for 'us'
docs/threatmanager/3.2/requirements/ports.md:17 — Dale: passive-voice	'firewall settings are required' is conventional for system requirements documentation; rewriting risks meaning change
docs/threatmanager/3.0/requirements/ports.md:17 — Dale: passive-voice	'firewall settings are required' is conventional for system requirements documentation
docs/threatmanager/3.1/requirements/ports.md:17 — Dale: passive-voice	'firewall settings are required' is conventional for system requirements documentation
docs/threatmanager/3.2/administration/threats/threats.md:31 — Dale: positional-references	'below the Historical Events section' is a UI position description (actual screen layout), not a content cross-reference
docs/threatmanager/3.2/administration/threats/threats.md:48 — Dale: positional-references	'below Historical Events' is a UI position description
docs/threatmanager/3.2/administration/threats/activedirectoryobjects/user.md:38 — Dale: positional-references	'below the chart' is a UI position description
docs/threatmanager/3.2/administration/configuration/systemsettings/licensing.md:22 — Dale: positional-references	'just below the navigation header' describes actual screen position of alert banner
docs/threatmanager/3.2/administration/configuration/systemhealth/agents.md:20 — Dale: positional-references	'just below the navigation header' describes actual screen position of alert banner
docs/threatmanager/3.2/install/database.md:63 — Dale: minimizing-difficulty	'PostgreSQL can easily be starved' describes a system susceptibility, not minimizing user task difficulty
docs/threatmanager/3.2/administration/configuration/policies/honeytoken.md:79 — Dale: xy-slop	'LDAP Monitoring isn't enabled, it must be enabled' is ambiguous — could mean 'by default it isn't enabled' or 'if it isn't enabled, enable it'
docs/threatmanager/3.2/threats/general.md:22 — Dale: passive-voice	Table cell example descriptions; conventional and rewriting would harm readability
docs/threatmanager/3.2/threats/filesystem.md:25 — Dale: passive-voice	'will be detected as a threat' is a system behavior description
docs/threatmanager/3.2/administration/configuration/integrations/activedirectorysync.md:87 — Dale: passive-voice	'is established' is part of an established phrase for connection states
docs/threatmanager/3.2/administration/configuration/integrations/netwrixintegrations.md:68 — Dale: passive-voice	'shouldn't be modified' is borderline; rewriting risks changing the tone of a warning
docs/threatmanager/3.2/administration/configuration/integrations/credentialprofile.md:145 — Dale: passive-voice	'these credentials will be enumerated' describes system behavior in a process explanation
docs/threatmanager/3.2/administration/threats/threats.md:113 — Dale: passive-voice	Status descriptions like 'Threats that are under or pending investigation' are conventional state descriptions

Ask @claude on this PR if you'd like an explanation of any fix.