0% found this document useful (0 votes)

519 views72 pages

Netwrix Auditor: Integration API Guide

Uploaded by

cleberafs

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

0% found this document useful (0 votes)

519 views72 pages

Netwrix Auditor: Integration API Guide

Uploaded by

cleberafs

We take content rights seriously. If you suspect this is your content, claim it here.

Available Formats

Download as PDF, TXT or read online on Scribd

You are on page 1/ 72

Netwrix Auditor

Integration API Guide

Version: 9.8
5/14/2019
Legal Notice

The information in this publication is furnished for information use only, and does not constitute a
commitment from Netwrix Corporation of any features or functions, as this publication may describe
features or functionality not applicable to the product release or version you are using. Netwrix makes no
representations or warranties about the Software beyond what is provided in the License Agreement.
Netwrix Corporation assumes no responsibility or liability for the accuracy of the information presented,
which is subject to change without notice. If you believe there is an error in this publication, please report
it to us in writing.

Netwrix is a registered trademark of Netwrix Corporation. The Netwrix logo and all other Netwrix product
or service names and slogans are registered trademarks or trademarks of Netwrix Corporation. Microsoft,
Active Directory, Exchange, Exchange Online, Office 365, SharePoint, SQL Server, Windows, and Windows
Server are either registered trademarks or trademarks of Microsoft Corporation in the United States
and/or other countries. All other trademarks and registered trademarks are property of their respective
owners.

Disclaimers

This document may contain information regarding the use and installation of non-Netwrix products.
Please note that this information is provided as a courtesy to assist you. While Netwrix tries to ensure
that this information accurately reflects the information provided by the supplier, please refer to the
materials provided with any non-Netwrix product and contact the supplier for confirmation. Netwrix
Corporation assumes no responsibility or liability for incorrect or incomplete information provided about
non-Netwrix products.

© 2019 Netwrix Corporation.

All rights reserved.

2/72
Table of Contents
1. Introduction 5

1.1. Netwrix Auditor Overview 5

1.2. How It Works 6

1.2.1. Workflow Stages 7

2. Netwrix Auditor Integration API Overview 8

3. Prerequisites 10

3.1. Configure Integration API Settings 10

3.2. Configure Audit Database Settings 11

4. API Endpoints 12

5. Authentication 13

5.1. Account Permissions 13

6. Retrieve Activity Records 14

6.1. Endpoint 14

6.2. Request Parameters 14

6.3. Response 14

6.4. Usage Example—Retrieve All Activity Records 15

7. Search Activity Records 18

7.1. Endpoint 18

7.2. Request Parameters 18

7.3. Response 19

7.4. Usage Example—Retrieve All Activity Records Matching Search Criteria 19

8. Write Activity Records 23

8.1. Endpoint 23

8.2. Request Parameters 23

8.3. Response 24

8.4. Usage Example—Write Data 24

9. Post Data 27

9.1. Continuation Mark 27

3/72
9.1.1. Schema 28

9.1.2. Example 28

9.2. Search Parameters 30

9.2.1. Schema 31

9.2.2. Example 32

9.2.3. Reference for Creating Search Parameters File 32

9.2.3.1. Filters 41

9.2.3.2. Operators 45

9.3. Activity Records 46

9.3.1. Schema 48

9.3.2. Example 48

9.3.3. Reference for Creating Activity Records 49

10. Response Status Codes 53

10.1. Error Details 54

11. Add-Ons 58

11.1. Available Add-Ons 58

11.2. Use Add-Ons 60

12. IIS Forwarding 62

12.1. Configure IIS Forwarding 62

12.2. Usage Example—Forward Requests 65

13. Security 68

14. Compatibility Notice 71

Index 72

4/72
Netwrix Auditor Integration API Guide

1. Introduction

1. Introduction
Looking for online version? Check out Netwrix Auditor help center.

This guide is intended for developers and provides instructions on how to use Netwrix Auditor Integration
API. It suggests ideas for leveraging Netwrix Auditor audit data with third–party SIEM solutions, explains
how to feed data from custom audit sources to the AuditArchive.

NOTE: Netwrix warns that Netwrix Auditor Integration API should be used by developers who have prior
experience with RESTful architecture and solid understanding of HTTP protocol. Technology and
tools overview is outside the scope of the current guide.

1.1. Netwrix Auditor Overview

Netwrix Auditor is a visibility platform for user behavior analysis and risk mitigation that enables control
over changes, configurations and access in hybrid IT environments to protect data regardless of its
location. The platform provides security analytics to detect anomalies in user behavior and investigate
threat patterns before a data breach occurs.

Netwrix Auditor includes applications for Active Directory, Azure AD, Exchange, Office 365, Windows file
servers, EMC storage devices, NetApp filer appliances, network devices, SharePoint, Oracle Database, SQL
Server, VMware, Windows Server, and User Activity. Empowered with a RESTful API, the platform delivers
visibility and control across all of your on-premises or cloud-based IT systems in a unified way.

Major benefits:

l Detect insider threats—on premises and in the cloud

l Pass compliance audits with less effort and expense

l Increase productivity of IT security and operations teams

To learn how Netwrix Auditor can help your achieve your specific business objectives, refer to Netwrix
Auditor Best Practices Guide.

5/72
Netwrix Auditor Integration API Guide

1. Introduction

1.2. How It Works

Netwrix Auditor delivers comprehensive auditing of a broad range of systems, applications and storage
systems. Its RESTful API simplifies integration with other applications and systems that are not yet
supported out of the box. Netwrix Auditor architecture and components interactions are shown in the
figure below.

Netwrix Auditor Server — the central component that handles the collection, transfer and processing of
audit data from the various data sources (audited systems).

Integration API — a RESTful API that enables you to collect data and analyze data from data sources not
yet supported out of the box, as well as to send data from Netwrix Auditor to systems such as your SIEM
solution.

Data sources — entities that represent the types of audited systems supported by Netwrix Auditor (for
example, Active Directory, Exchange Online, NetApp filer, and so on), or the areas you are interested in (for
example, Group Policy, User Activity, and so on).

Long-Term Archive — a file-based repository storage keeps the audit data collected from all your data
sources or imported using Integration API in a compressed format for a long period of time. The default
retention period is 120 months.

Audit database — Microsoft SQL Server database. It is used as an operational storage intended for
browsing recent data, running search queries, generating reports and alerts. Default retention period for
this data is 180 days. Usually, data collected from the certain data source (for example, Exchange Server) is
stored to the archive and to the dedicated Audit database. Therefore, there can be as many databases as
the data sources you want to process.

Netwrix Auditor Client — a component that provides a friendly interface to authorized personnel who
can use this console UI to manage Netwrix Auditor settings, examine alerts, reports and search results.

6/72
Netwrix Auditor Integration API Guide

1. Introduction

Other users can obtain audit data by email or with 3rd party tools — for example, reports can be provided
to the management team via the intranet portal.

1.2.1. Workflow Stages

General workflow stages are as follows:

1. Authorized administrators prepare IT infrastructure and data sources they are going to audit, as
recommended in Netwrix Auditor documentation and industry best practices; they use Netwrix
Auditor client (management UI) to set up automated data processing.

2. Netwrix Auditor collects audit data from the specified data source (application, server, storage
system, and so on).

To provide a coherent picture of changes that occurred in the audited systems, Netwrix Auditor can
consolidate data from multiple independent sources (event logs, configuration snapshots, change
history records, etc.). This capability is implemented with Netwrix Auditor Server and Integration API.

NOTE: For details on custom data source processing workflow, refer to the Integration API
documentation.

3. Audit data is stored to the Audit database and the repository (Long-Term Archive) and preserved
there according to the corresponding retention settings.

4. Netwrix Auditor analyzes the incoming audit data and alerts appropriate staff about critical changes,
according to the built-in alerts you choose to use and any custom alerts you have created. Authorized
users use the Netwrix Auditor Client to view prebuilt dashboards, run predefined reports, conduct
investigations, and create custom reports based on their searches. Other users obtain the data they
need via email or third-party tools.

5. To enable historical data analysis, Netwrix Auditor can extract data from the repository and import it
to the Audit database, where it becomes available for search queries and report generation.

7/72
Netwrix Auditor Integration API Guide

2. Netwrix Auditor Integration API Overview

2. Netwrix Auditor Integration API

Overview
Netwrix Auditor Integration API—endless integration, auditing and reporting capabilities.

The Netwrix Auditor Integration API provides access to audit data collected by Netwrix Auditor through
REST API endpoints. According to the RESTful model, each operation is associated with a URL. Integration
API provides the following capabilities:

l Data in: Solidify security and meet regulatory compliance standards by enabling visibility into what is
going on in any third-party application.

l Data out : Further automate your business processes, IT security and operations workflows by
enriching third-party solutions with actionable audit data.

Netwrix Auditor Integration API operates with XML- and JSON-formatted Activity Records—minimal chunks
of audit data containing information on who changed what, when and where this change was made. XML
format is set as default.

With Integration API you can write Activity Records to the SQL Server-based Audit Database and access
audit data from remote computers. Also, Netwrix prepares add-ons—sample scripts—to help you integrate
your SIEM solutions with Netwrix Auditor.

8/72
Netwrix Auditor Integration API Guide

2. Netwrix Auditor Integration API Overview

Netwrix Auditor Integration API Service is responsible for processing API requests. This component is
installed along with Netwrix Auditor Server and is enabled automatically. By default, Netwrix Auditor
Integration API works over HTTPS protocol using an automatically generated certificate. Default
communication port is 9699 .

Netwrix does not limit you with applications that can be used with Integration API. You can write RESTful
requests using any tool or application you prefer—cURL, Telerik Fiddler, various Google Chrome or Mozilla
FireFox plug-ins, etc.

9/72
Netwrix Auditor Integration API Guide

3. Prerequisites

3. Prerequisites
3.1. Configure Integration API Settings
By default, for communication Netwrix Auditor Integration API uses HTTPS with automatically generated
certificate. Default communication port is 9699 .

NOTE: Refer to Security for detailed instructions on how to disable HTTPS and manage other API settings.

To change port

1. In the Netwrix Auditor main window, navigate to the Integration tile.

2. Make sure the Leverage Integration API option is set to "On".

3. Click Modify under the API settings section and specify a port number. Windows firewall rule will be
automatically created.

NOTE: If you use a third-party firewall, you must create a rule for inbound connections manually.

10/72
Netwrix Auditor Integration API Guide

3. Prerequisites

3.2. Configure Audit Database Settings

When you first configure the Audit Database settings in Netwrix Auditor, the product also creates several
databases for special purposes, including Netwrix_Auditor_API . This database is designed to store data
imported from the other sources using Netwrix Auditor Integration API.

Make sure the Audit Database settings are configured in Netwrix Auditor. To check or configure these
settings, navigate to Settings → Audit Database.

NOTE: You cannot use Netwrix Auditor Integration API without configuring the Audit Database.

See Netwrix Auditor Administration Guide for detailed instructions on how to configure SQL Server
settings.

11/72
Netwrix Auditor Integration API Guide

4. API Endpoints

4. API Endpoints
Method Endpoint POST Data Description

GET /netwrix/api/v1/activity_records/enum — Returns Activity Records.

See Retrieve Activity Records

for more information.

POST /netwrix/api/v1/activity_records/enum Continuation Returns next 1,000 Activity

Mark Records.

See Continuation Mark for

more information.

POST /netwrix/api/v1/activity_records/search Search Returns Activity Records

Parameters matching a criteria defined in
search parameters.

See Search Activity Records for

more information.

POST /netwrix/api/v1/activity_records/ Activity Writes data to the Audit

Records Database.

See Write Activity Records for

more information.

12/72
Netwrix Auditor Integration API Guide

5. Authentication

5. Authentication
Authentication is required for all endpoints. The following authentication methods are supported:

l NTLM—recommended

NOTE: If NTLM authentication is disabled through a group policy, you will not be able to address
Netwrix Auditor Server by its IP address.

l Negotiate

l Digest

l Basic

5.1. Account Permissions

Netwrix Auditor restricts control to its configuration and data collected by the product. Role-based access
system ensures that only relevant employees and services can access the exact amount of data they need.
To be able to retrieve activity records or supply data to the Audit Database, an account must be assigned a
role in the product. See Netwrix Auditor Administration Guide for more information about role delegation
and assignment procedure.

To... Required role

Retrieve all activity records The user must be assigned the Global administrator role in the
and write data product, or be a member of the Netwrix Auditor Administrators
group on the computer that hosts Netwrix Auditor Server.

Retrieve all activity records The user must be assigned the Global reviewer role in the product or
be a member of the Netwrix Auditor Client Users group on the
computer that hosts Netwrix Auditor Server.

Retrieve activity records The user must be assigned the Reviewer role on a monitoring plan or
within a limited scope folder with plans. In this case, Netwrix Auditor Server will retrieve only
activity records the user is allowed to review according to the scope
delegated (e.g., a scope can be limited to a single domain or file share).

Write activity records The user must be assigned the Contributor role in the product.

Review the example below to see how to authenticate in cURL:

l curl https://172.28.6.15:9699/netwrix/api/v1/activity_records/enum -u
Enterprise\NetwrixUser:NetwrixIsCool

13/72
Netwrix Auditor Integration API Guide

6. Retrieve Activity Records

6.1. Endpoint
Use to export data from the Audit Database. By default, first 1,000 Activity Records are returned. To get the
next Activity Records, send a POST request to the same endpoint containing a Continuation mark.

Method Endpoint POST Data

GET https://{host:port}/netwrix/api/v1/activity_ —
records/enum{?format=json}{&count=Number}

POST https://{host:port}/netwrix/api/v1/activity_ Continuation

records/enum{?format=json}{&count=Number} Mark

6.2. Request Parameters

Parameter Mandatory Description

host:port Yes Replace with the IP address or a name of your Netwrix Auditor Server
host and port (e.g., 172.28.6.15:9699, stationwin12:9699,
WKSWin2012.enterprise.local:9699).

NOTE: With enabled HTTPS, provide the computer name as it appears

in certificate properties.

format=json No Add this parameter to retrieve data in JSON format. Otherwise, XML-
formatted Activity Records will be returned.

count=Number No Add this parameter to define the number of Activity Records to be

exported. Replace Number with a number (e.g., &count=1500).

NOTE: Optional parameters (format and count) can be provided in any order. The first parameter must
start with ?, others are joined with &, no spaces required (e.g., ?format=json&count=1500).

6.3. Response
Request Status Response

Success The HTTP status code in the response header is 200 OK . The response body

14/72
Netwrix Auditor Integration API Guide

6. Retrieve Activity Records

Request Status Response

contains Activity Records and Continuation Mark.

HTTP/1.1 200 OK HTTP/1.1 200 OK

Server: Microsoft-HTTPAPI/2.0 Server: Microsoft-HTTPAPI/2.0
Content-Length: 311896 or Content-Length: 311896
Content-Type: application/xml Content-Type: application/json
Date: Fri, 08 Apr 2017 13:56:22 GMT Date: Fri, 08 Apr 2017 13:56:22 GMT

Error The header status code is an error code. Depending on the error code, the
response body may contain an error object. See Response Status Codes for more
information.

6.4. Usage Example—Retrieve All Activity Records

This example describes how to retrieve all Activity Records from the Audit Database.

1. Send a GET request. For example:

Format Request

XML curl https://WKSWin2012:9699/netwrix/api/v1/activity_

records/enum -u Enterprise\NetwrixUser:NetwrixIsCool

JSON curl https://WKSWin2012:9699/netwrix/api/v1/activity_

records/enum?format=json -u
Enterprise\NetwrixUser:NetwrixIsCool

2. Receive the response. Activity Records are retrieved according to the account's delegated scope.
Below is an example of a successful GET request. The status is 200 OK . For XML, a response body
contains the ActivityRecordList root element with Activity Records and a Continuation mark
inside. For JSON, a response body contains the ActivityRecordList array with Activity Records
collected in braces {} and a Continuation mark.

XML

<?xml version="1.0" standalone="yes"?>

15/72
Netwrix Auditor Integration API Guide

6. Retrieve Activity Records

<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>user</ObjectType>
<RID>20160215110503420B9451771F5964A9EAC0A5F35307EA155</RID>
<What>\local\enterprise\Users\Jason Smith</What>
<Action>Added</Action>
<When>2017-02-14T15:42:34Z</When>
<Where>EnterpriseDC1.enterprise.local</Where>
<Who>ENTERPRISE\Administrator</Who>
<Workstation>EnterpriseDC1.enterprise.local</Workstation>
</ActivityRecord>
<ActivityRecord>...</ActivityRecord>
<ActivityRecord>...</ActivityRecord>
</ActivityRecordList>

JSON

{
"ActivityRecordList": [
{
"Action": "Added",
"MonitoringPlan" : {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "AD Monitoring"
},
"DataSource": "Active Directory",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType": "user",
"RID": "20160215110503420B9451771F5964A9EAC0A5F35307EA155",
"What": "\\local\\enterprise\\Users\\Jason Smith",
"When": "2017-02-14T15:42:34Z",
"Where": "EnterpriseDC1.enterprise.local",
"Who": "ENTERPRISE\\Administrator",
"Workstation": "EnterpriseDC1.enterprise.local"
},
{...},
{...}
],
"ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A"
}

3. Continue retrieving Activity Records. Send a POST request containing this Continuation mark to the
same endpoint. See Continuation Mark for more information.

16/72
Netwrix Auditor Integration API Guide

6. Retrieve Activity Records

XML

curl -H "Content-Type: application/xml; Charset=UTF-8"

https://WKSWin2012:9699/netwrix/api/v1/activity_records/enum -u
Enterprise\NetwrixUser:NetwrixIsCool --data-binary
@C:\APIdocs\ContMark.xml
<?xml version="1.0" standalone="yes"?>
<ContinuationMark xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A
</ContinuationMark>

JSON

curl -H "Content-Type: application/json; Charset=UTF-8"

https://WKSWin2012:9699/netwrix/api/v1/activity_records/enum?format=json
-u Enterprise\NetwrixUser:NetwrixIsCool --data-binary
@C:\APIdocs\ContMark.json
"PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A"

NOTE: Ensure to pass information about transferred data, including Content-

Type:application/xml or application/json and encoding. The syntax greatly
depends on the tool you use.

4. Receive the next response. On success, the status is 200 OK . For XML, a response body contains the
ActivityRecordList root element with next Activity Records and a new Continuation mark inside.
For JSON, a response body contains the ActivityRecordSearch array with next Activity Records
collected in braces {} and a new Continuation mark.

5. Continue retrieving Activity Records. Send POST requests containing new Continuation marks until
you receive a 200 OK response with no Activity Records inside the ActivityRecordList. It means
you reached the end of the Audit Database.

17/72
Netwrix Auditor Integration API Guide

7. Search Activity Records

The search functionality in the Netwrix Auditor Integration API reproduces interactive search available in
the Netwrix Auditor client. See Netwrix Auditor Intelligence Guide for detailed instruction on how to search
and filter audit data.

As the interactive search in the Netwrix Auditor client, this REST API endpoint allows you to retrieve Activity
Records matching a certain criteria. You can create your own set of filters in the Search parameters file. See
Search Parameters for more information. Activity Records are retrieved according to the account's
delegated scope.

7.1. Endpoint
To retrieve Activity Records matching a certain criteria, send a POST request containing search parameters
(also may include a Continuation mark). See Search Parameters for more information.

Method Endpoint POST Data

POST https://{host:port}/netwrix/api/v1/activity_ Search

records/search{?format=json}{&count=Number} Parameters

7.2. Request Parameters

Parameter Mandatory Description

host:port Yes Replace with the IP address or a name of your Netwrix Auditor Server
host and port (e.g., 172.28.6.15:9699, stationwin12:9699,
WKSWin2012.enterprise.local:9699).

NOTE: With enabled HTTPS, provide the computer name as it appears

in certificate properties.

format=json No Add this parameter to retrieve data in JSON format. Otherwise, XML-
formatted Activity Records will be returned.

count=Number No Add this parameter to define the number of Activity Records to be

exported. Replace Number with a number (e.g., ?count=1500).

NOTE: Optional parameters (format and count) can be provided in any order. The first parameter must
start with ?, others are joined with &, no spaces required (e.g., ?format=json&count=1500).

18/72
Netwrix Auditor Integration API Guide

7. Search Activity Records

7.3. Response
Request Status Response

Success The HTTP status code in the response header is 200 OK . The response body
contains Activity Records and Continuation Mark.

HTTP/1.1 200 OK HTTP/1.1 200 OK

Error The header status code is an error code. Depending on the error code, the
response body may contain an error object. See Response Status Codes for more
information.

7.4. Usage Example—Retrieve All Activity Records

Matching Search Criteria
This example describes how to retrieve all Activity Records matching search criteria.

1. Send a POST request containing search parameters. See Search Parameters for more information.

For example, this request retrieves Activity Records where administrator added new objects to the
Active Directory domain. Groups and group policies are not taken into account. Changes could only
occur between September 16, 2016 and March 16, 2017.

XML

curl -H "Content-Type:application/xml; Charset=UTF-8"

https://WKSWin2012:9699/netwrix/api/v1/activity_records/search -u
Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Search.xml
<?xml version="1.0" standalone="yes"?>
<ActivityRecordSearch xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
<FilterList>
<Who>Administrator</Who>
<DataSource>Active Directory</DataSource>
<Action>Added</Action>
<ObjectType Operator="DoesNotContain">Group</ObjectType>
<When>
<From>2016-09-16T16:30:00+11:00</From>
<To>2017-03-16T00:00:00Z</To>
</When>

19/72
Netwrix Auditor Integration API Guide

7. Search Activity Records

</FilterList>
</ActivityRecordSearch>

JSON

curl -H "Content-Type:application/json; Charset=UTF-8"

https://WKSWin2012:9699/netwrix/api/v1/activity_records/
search?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary
@C:\APIdocs\Search.json
{
"FilterList": {
"Who": "Administrator",
"DataSource": "Active Directory",
"Action": "Added",
"ObjectType": { "DoesNotContain": "Group"},
"When": {
"From": "2016-09-16T16:30:00+11:00",
"To": "2017-03-16T00:00:00Z"
}
}
}

NOTE: Ensure to pass information about transferred data, including

Content-
Type:application/xml or application/json and encoding. The syntax greatly
depends on the tool you use.

2. Receive the response. Activity Records are retrieved according to the account's delegated scope.
Below is an example of a successful search request. The status is 200 OK . For XML, a response body
contains the ActivityRecordList root element with Activity Records matching filter criteria and a
Continuation mark inside. For JSON, a response body contains the ActivityRecordList array with
Activity Records matching filter criteria and collected in braces {}, and a Continuation mark.

XML

<?xml version="1.0" standalone="yes"?>

20/72
Netwrix Auditor Integration API Guide

7. Search Activity Records

<ObjectType>user</ObjectType>
<RID>20160215110503420B9451771F5964A9EAC0A5F35307EA155</RID>
<What>\local\enterprise\Users\Jason Smith</What>
<Action>Added</Action>
<When>2017-02-14T15:42:34Z</When>
<Where>EnterpriseDC1.enterprise.local</Where>
<Who>ENTERPRISE\Administrator</Who>
<Workstation>EnterpriseDC1.enterprise.local</Workstation>
</ActivityRecord>
<ActivityRecord>...</ActivityRecord>
<ActivityRecord>...</ActivityRecord>
</ActivityRecordList>

JSON

3. Continue retrieving Activity Records. Send a POST request containing your search parameters and
this Continuation mark to the same endpoint. See Continuation Mark for more information.

XML

curl -H "Content-Type:application/xml; Charset=UTF-8"

https://WKSWin2012:9699/netwrix/api/v1/activity_records/search -u
Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Search.xml

21/72
Netwrix Auditor Integration API Guide

7. Search Activity Records

<?xml version="1.0" standalone="yes"?>

<ActivityRecordSearch xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
<ContinuationMark>PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A</Continuatio
nMark>
<FilterList>
<Who>Administrator</Who>
<DataSource>Active Directory</DataSource>
<Action>Added</Action>
<ObjectType Operator="DoesNotContain">Group</ObjectType>
<When>
<From>2016-09-16T16:30:00+11:00</From>
<To>2017-03-16T00:00:00Z</To>
</When>
</FilterList>
</ActivityRecordSearch>

JSON

curl -H "Content-Type:application/json; Charset=UTF-8"

https://WKSWin2012:9699/netwrix/api/v1/activity_
records/search?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --
data-binary @C:\APIdocs\Search.json
{
"ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A",
"FilterList": {
"Who": "Administrator",
"DataSource": "Active Directory",
"Action": "Added",
"ObjectType": { "DoesNotContain": "Group"},
"When": {
"From": "2016-09-16T16:30:00+11:00",
"To": "2017-03-16T00:00:00Z"
}
}
}

NOTE: Ensure to pass information about transferred data, including Content-

Type:application/xml or application/json and encoding. The syntax greatly
depends on the tool you use.

5. Continue retrieving Activity Records. Send POST requests containing your search parameters with
new Continuation marks until you receive a 200 OK response with no Activity Records inside the
ActivityRecordList. It means you retrieved all Activity Records matching your search criteria.

22/72
Netwrix Auditor Integration API Guide

8. Write Activity Records

8.1. Endpoint
Write data to the Audit Database and to the Long-Term Archive. By default, all imported data is written to a
special Netwrix_Auditor_API database and recognized as the Netwrix API data source. This data is not
associated with any monitoring plan in the product. You can associate Activity Records with a plan, in this
case data will be written to a database linked to this plan. Make sure the plan you specify is already created
in Netwrix Auditor, the Netwrix API data source is added to the plan and enabled for monitoring.

To feed data, send a POST request containing Activity Records. The user sending a request must be
assigned the Contributor role in Netwrix Auditor. After feeding data to the Audit Database it will become
available for search in the Netwrix Auditor client and through /netwrix/api/v1/activity_records/search and
/netwrix/api/v1/activity_records/enum endpoints.

Method Endpoint POST Data

POST https:// {host:port}/netwrix/api/v1/activity_ records/ Activity

{?format=json} Records

NOTE: Netwrix recommends limiting the input Activity Records file to 50MB and maximum 1,000 Activity
Records.

8.2. Request Parameters

Parameter Mandatory Description

host:port Yes Replace with the IP address or a name of your Netwrix Auditor Server
host and port (e.g., 172.28.6.15:9699, stationwin12:9699,
WKSWin2012.enterprise.local:9699).

NOTE: With enabled HTTPS, provide the computer name as it appears

in certificate properties.

?format=json No Add this parameter to write data in JSON format. Otherwise, Netwrix
Auditor Server will expect XML- formatted Activity Records and will
consider JSON invalid.

23/72
Netwrix Auditor Integration API Guide

8. Write Activity Records

8.3. Response
Request Status Response

Success The HTTP status code in the response header is 200 OK and the body is empty.
HTTP/1.1 200 OK
Server: Microsoft-HTTPAPI/2.0
Content-Length: 0
Content-Type: text/plain
Date: Fri, 08 Apr 2017 13:56:22 GMT

Error The header status code is an error code. Depending on the error code, the response
body may contain an error object. See Response Status Codes for more
information.

8.4. Usage Example—Write Data

This example describes how to feed Activity Records to the Audit Database.

1. Send a POST request containing Activity Records. See Activity Records for more information. For
example:

XML

curl -H "Content-Type:application/xml; Charset=UTF-8"

https://WKSWin2012:9699/netwrix/api/v1/activity_records/ -u
Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Input.xml
<?xml version="1.0" encoding="utf-8"?>
<ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
<ActivityRecord>
<Who>Admin</Who>
<ObjectType>Stored Procedure</ObjectType>
<Action>Added</Action>
<What>Databases\ReportServer\Stored Procedures\dbo.sp_New</What>
<MonitoringPlan>
<Name>Integrations and custom sources</Name>
</MonitoringPlan>
<Where>WKSWin12SQL</Where>
<When>2017-02-19T03:43:49-11:00</When>
</ActivityRecord>
<ActivityRecord>
<Action>Modified</Action>
<ObjectType>Mailbox</ObjectType>
<What>Shared Mailbox</What>

24/72
Netwrix Auditor Integration API Guide

8. Write Activity Records

<When>2017-02-10T14:46:00Z</When>
<Where>BLUPR05MB1940</Where>
<Who>[email protected]</Who>
<DetailList>
<Detail>
<PropertyName>Custom_Attribute</PropertyName>
<Before>1</Before>
<After>2</After>
</Detail>
</DetailList>
</ActivityRecord>
</ActivityRecordList>

JSON

curl -H "Content-Type:application/json; Charset=UTF-8"

https://WKSWin2012:9699/netwrix/api/v1/activity_records/?format=json -u
Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Input.json
[
{
"Who": "Admin",
"ObjectType": "Stored Procedure",
"Action": "Added",
"MonitoringPlan": {"Name": "Integrations and custom sources"},
"What": "Databases\\ReportServer\\Stored Procedures\\dbo.sp_New",
"Where": "WKSWin12SQL",
"When": "2017-02-19T03:43:49-11:00"
},
{
"Action": "Modified",
"ObjectType": "Mailbox",
"What": "Shared Mailbox",
"When": "2017-02-10T14:46:00Z",
"Where": "BLUPR05MB1940",
"Who": "[email protected]",
"DetailList": [
{
"PropertyName": "Custom_Attribute",
"Before": "1",
"After": "2"
}
]
}
]

NOTE: Ensure to pass information about transferred data, including Content-

Type:application/xml or application/json and encoding. The syntax greatly
depends on the tool you use.

25/72
Netwrix Auditor Integration API Guide

8. Write Activity Records

2. Receive the response. Below is an example of a successful write request. The status is 200 OK and the
body is empty.
HTTP/1.1 200 OK
Server: Microsoft-HTTPAPI/2.0
Content-Length: 0
Content-Type: text/plain
Date: Fri, 08 Apr 2017 13:56:22 GMT

3. Send more POST requests containing Activity Records if necessary.

4. Check that posted data is now available in the Audit Database. Run a search request to
/netwrix/api/v1/activity_ records/search endpoint or use interactive search in the Netwrix Auditor
client. For example:

NOTE: For input Activity Records, the data source in set to Netwrix API.

26/72
Netwrix Auditor Integration API Guide

9. Post Data

9. Post Data
While running requests to Netwrix Auditor Integration API endpoints, you will need to post data, e.g., a
Continuation mark in order to continue retrieving Activity Records, Search parameters to find Activity
Records matching your search, or Activity Records you want to feed to the Audit Database. Data is sent in
the request body and must be formatted according to XML convention and compatible with Netwrix-
provided XSD schemas.

In Netwrix Auditor 9.0, Netwrix has updated API schemas. Make sure to check and update your custom
scripts and add-ons. See Compatibility Notice for more information.

NOTE: The file must be formatted in accordance with XML standard. The following symbols must be
replaced with corresponding XML entities: & (ampersand), < (less than), and > (greater than)
symbols.

Symbol XML entity

& &

e.g., Ally & Sons e.g., Ally & Sons

< <

e.g., CompanyDC< 100 e.g., CompanyDC<100

> >

e.g., ID> 500 e.g., ID>500

Also, Netwrix allows transferring data in JSON format (organized as name and value pairs). JSON file must be
formatted in accordance with JSON specification. Special characters in JSON strings must be preceded with
the \ character: " (double quotes), / (slash), \ (backslash). E.g., " \\ local \\ enterprise \\ Users \\ Jason Smith".
Trailing comma is not supported.

Review the following for additional information:

l Continuation Mark

l Search Parameters

l Activity Records

9.1. Continuation Mark

When exporting data from the Audit Database, a successful response includes:

27/72
Netwrix Auditor Integration API Guide

9. Post Data

l For XML—A <ContinuationMark> inside the <ActivityRecordsList> root element.

l For JSON—An object with the "ContinuationMark" field.

Continuation mark is a checkpoint, use it to retrieve data starting with the next Activity Record.

Send a POST request containing Continuation mark to the following endpoints:

Method Endpoint Description

POST /netwrix/api/v1/activity_records/enum Returns next Activity Records.

POST /netwrix/api/v1/activity_records/search Returns next Activity Records matching

a filter criteria.

NOTE: Ensure to pass information about transferred data, including Content-Type:application/xml

or application/json and encoding. The syntax greatly depends on the tool you use.

You can send as many POST requests as you want. A new response returns next Activity Records and a new
Continuation mark. Once all the Activity Records are retrieved, you will receive a 200 OK response with no
Activity Records inside the ActivityRecordList root element (XML) or array (JSON).

9.1.1. Schema
Copy the contents of ContinuationMark to a separate XML or JSON file (e.g., ContMark.xml).

Format Schema description

XML The file must be compatible with the XML schema. On the computer where Netwrix Auditor
Server resides, you can find XSD file under Netwrix_Auditor_installation_folder\Audit Core\API
Schemas.

The ContinuationMark root element contains a value previously returned by Netwrix

Auditor Integration API.

JSON JSON-formatted Continuation mark includes the field value in quotes.

If you want to retrieve next Activity Records for your search, include the Continuation mark to your Search
parameters file. See Search Parameters for more information.

9.1.2. Example
XML

Retrieve Activity Records

28/72
Netwrix Auditor Integration API Guide

9. Post Data

<?xml version="1.0" standalone="yes"?>

<ContinuationMark xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A
</ContinuationMark>

Search Activity Records

<?xml version="1.0" standalone="yes"?>

<ActivityRecordSearch xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
<ContinuationMark>PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A</ContinuationMar
k>
<FilterList>
<Who>Administrator</Who>
<DataSource>Active Directory</DataSource>
<Action>Added</Action>
<ObjectType Operator="DoesNotContain">Group</ObjectType>
<When>
<From>2016-09-16T16:30:00+11:00</From>
<To>2017-03-16T00:00:00Z</To>
</When>
</FilterList>
</ActivityRecordSearch>

JSON

Retrieve Activity Records

"PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A"

Search Activity Records

{
"ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A",
"FilterList": {
"Who": "Administrator",
"DataSource": "Active Directory",
"Action": "Added",
"ObjectType": { "DoesNotContain": "Group"},
"When": {
"From": "2016-09-16T16:30:00+11:00",
"To": "2017-03-16T00:00:00Z"
}
}
}

29/72
Netwrix Auditor Integration API Guide

9. Post Data

9.2. Search Parameters

Send the search parameters in the POST request body to narrow down the search results returned by the
/netwrix/api/v1/activity_records/search endpoint. The Search parameters file includes one or more filters
with operators and values (e.g., to find entries where data source is SharePoint ); it may also contain a
Continuation Mark. Generally, the Search parameters file looks similar to the following:

XML

<?xml version="1.0" encoding="utf-8"?>

<ActivityRecordSearch xmlns="http//schemas.netwrix.com/api/v1/activity_records/">
<ContinuationMark>Continuation mark</ContinuationMark>
<FilterList>
<Filter1>Value</Filter1>
<Filter2>Value1</Filter2>
<Filter2>Value2</Filter2>
<Filter3 Operator="MatchType1">Value1</Filter3>
<Filter3 Operator="MatchType2">Value2</Filter3>
<Filter4>Value1</Filter4>
<Filter4 Operator="MacthType">Value2</Filter4>
</FilterList>
</ActivityRecordSearch>

JSON

{
"ContinuationMark": "Continuation Mark",
"FilterList": {
"Filter1": "Value",
"Filter2": [ "Value1", "Value2" ],
"Filter3": {
"MatchType1": "Value1",
"MatchType2": "Value2"
},
"Filter4": [ "Value1", { "MatchType": "Value2" } ]
}
}

NOTE: Ensure to pass information about transferred data, including Content-Type:application/xml

or application/json and encoding. The syntax greatly depends on the tool you use.

30/72
Netwrix Auditor Integration API Guide

9. Post Data

9.2.1. Schema
Format Schema description

XML The file must be compatible with the XML schema. On the computer where Netwrix Auditor
Server resides, you can find XSD file under Netwrix_Auditor_installation_folder\Audit Core\API
Schemas.

The ActivityRecordSearch root element includes the FilterList element with one
or more Filter elements inside. The root element may contain a ContinuationMark
element.

Each Filter specified within the FilterList must have a value to search for. The
element may also include a modifier—a match type operator.

NOTE: minOccurs="0" indicates that element is optional and may be absent in the Search
parameters.

JSON The FilterList object includes with one or more Filter entries inside. JSON may
contain a ContinuationMark object. Each Filter specified within the FilterList
must have a value to search for. The entry may also include a modifier— a match type
operator.

Review the following for additional information:

31/72
Netwrix Auditor Integration API Guide

9. Post Data

l Filters

l Operators

9.2.2. Example
XML

<?xml version="1.0" encoding="utf-8"?>

<ActivityRecordSearch xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
<FilterList>
<Who Operator="NotEqualTo">Administrator</Who>
<MonitoringPlan>My Hybrid Cloud enterprise</MonitoringPlan>
<DataSource>Active Directory</DataSource>
<DataSource Operator="StartsWith">Exchange</DataSource>
<Action>Removed</Action>
<Action>Added</Action>
<ObjectType Operator="DoesNotContain">Group</ObjectType>
<When>
<From>2016-01-16T16:30:00+11:00</From>
<To>2017-01-01T00:00:00Z</To>
</When>
</FilterList>
</ActivityRecordSearch>

JSON

{
"FilterList": {
"Who": { "NotEqualTo": "Administrator" },
"MonitoringPlan": "My Hybrid Cloud enterprise",
"DataSource": [ "Active Directory", { "StartsWith": "Exchange" } ],
"Action": [ "Added", "Removed" ],
"ObjectType": { "DoesNotContain": "Group" },
"When": {
"From": "2016-01-16T16:30:00+11:00",
"To": "2017-01-01T00:00:00Z"
}
}
}

9.2.3. Reference for Creating Search Parameters File

Review this section to learn more about operators and how to apply them to Activity Record filters to
create a unique search. You can:

32/72
Netwrix Auditor Integration API Guide

9. Post Data

l Add different filters to your search. Search results will be sorted by all selected filters since they work
as a logical AND.

Format Example

XML <Who Operator="Equals">Admin</Who>

<DataSource Operator="NotEqualTo">Active Directory</DataSource>
<What>User</What>

JSON "Who" : { "Equals" : "Admin" },

"DataSource" : { "NotEqualTo" : "Active Directory" },
"What" : "User"

l Specify several values for the same filter. To do this, add two entries one after another.

Entries with Equals, Contains, StartsWith, EndsWith, and InGroup operators work as a logical OR
(Activity Records with either of following values will be returned). Entries with DoesNotContain and
NotEqualTo operators work as a logical AND (Activity Records with neither of the following values will
be returned).

Format Example

XML <Who>Admin</Who>
<Who>Analyst</Who>

JSON "Who" : [ "Admin" , "Analyst" ]

NOTE: Use square brackets to add several values for the entry.

Review the following for additional information:

l Filters

l Operators

The table below shows filters and Activity Records matching them.

Filters Matching Activity Records

l XML: Retrieves all activity records where administrator made any

<Who>Administrator</Who> actions on SharePoint, except Read.
<DataSource> l XML:
SharePoint
<ActivityRecord>
</DataSource>
<Action>Added</Action>
<Action Operator="NotEqualTo">
<MonitoringPlan>
Read
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
</Action> <Name>Compliance</Name>

l JSON: </MonitoringPlan>
<DataSource>SharePoint</DataSource>

33/72
Netwrix Auditor Integration API Guide

9. Post Data

Filters Matching Activity Records

"Who" : "Admin", <Item>

"DataSource" : "SharePoint", <Name>http://demolabsp:8080 (SharePoint farm)</Name>
"Action" : { </Item>
"NotEqualTo" : "Read" <ObjectType>List</ObjectType>

} <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID>
<What>http://demolabsp/lists/Taskslist</What>
<When>2017-02-17T09:28:35Z</When>
<Where>http://demolabsp</Where>
<Who>Enterprise\Administrator</Who>
<Workstation>172.28.15.126</Workstation>
</ActivityRecord>
<ActivityRecord>
<Action>Removed</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>SharePoint</DataSource>
<Item>
<Name>http://demolabsp:8080 (SharePoint farm)</Name>
</Item>
<ObjectType>List</ObjectType>
<RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D15857</RID>
<What>http://demolabsp/lists/Old/Taskslist</What>
<When>2017-02-17T09:28:35Z</When>
<Where>http://demolabsp</Where>
<Who>Enterprise\Administrator</Who>
<Workstation>172.28.15.126</Workstation>
</ActivityRecord>

34/72
Netwrix Auditor Integration API Guide

9. Post Data

Filters Matching Activity Records

"Action" : "Removed",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "SharePoint",
"Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"},
"ObjectType" : "List",
"RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D15857",
"What" : "http://demolabsp/lists/Old/Taskslist",
"When" : "2017-02-17T09:28:35Z",
"Where" : "http://demolabsp",
"Who" : "Enterprise\\Administrator",
"Workstation" : "172.28.15.126"
}

l XML: Retrieves all activity records where administrator added an

<Who>Administrator</Who> object within any data source.
<Action>Added</Action> l XML:
l JSON: <ActivityRecord>
<Action>Added</Action>
"Who" : "Administrator",
<MonitoringPlan>
"Action" : "Added"
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>SharePoint</DataSource>
<Item>
<Name>http://demolabsp:8080 (SharePoint farm)</Name>
</Item>
<ObjectType>List</ObjectType>
<RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID>
<What>http://demolabsp/lists/Taskslist</What>
<When>2017-02-17T09:28:35Z</When>
<Where>http://demolabsp</Where>
<Who>Enterprise\Administrator</Who>
<Workstation>172.28.15.126</Workstation>
</ActivityRecord>
<ActivityRecord>
<Action>Added</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Exchange</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>

35/72
Netwrix Auditor Integration API Guide

9. Post Data

Filters Matching Activity Records

<ObjectType>Mailbox</ObjectType>
<RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3</RID>
<What>Shared Mailbox</What>
<When>2017-02-10T14:46:00Z</When>
<Where>eswks.enterprise.local</Where>
<Who>Enterprise\Administrator</Who>
</ActivityRecord>

l JSON:
{
"Action" : "Added",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "SharePoint",
"Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"},
"ObjectType": "List",
"RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7",
"What": "http://demolabsp/lists/Taskslist",
"When": "2017-02-17T09:28:35Z",
"Where": "http://demolabsp",
"Who": "Enterprise\\Administrator",
"Workstation": "172.28.15.126"
},
{
"Action" : "Added",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource" : "Exchange",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType" : "Mailbox",
"RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3",
"What": "Shared Mailbox",
"When": "2017-02-10T14:46:00Z",
"Where": "eswks.enterprise.local",
"Who": "Enterprise\\Administrator"
}

l XML: Retrieves all activity records where admin or analyst made any
<Who>Admin</Who> changes within any data source.
<Who>Analyst</Who> l XML:
l JSON: <ActivityRecord>
<Action>Added</Action>
"Who" : [ "Admin" , "Analyst" ]
<MonitoringPlan>

36/72
Netwrix Auditor Integration API Guide

9. Post Data

Filters Matching Activity Records

<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>File Servers</DataSource>
<Item>
<Name>wks.enterprise.local (Computer)</Name>
</Item>
<ObjectType>Folder</ObjectType>
<RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3</RID>
<What>Annual_Reports</What>
<When>2017-02-10T14:46:00Z</When>
<Where>wks.enterprise.local</Where>
<Who>Enterprise\Admin</Who>
</ActivityRecord>
<ActivityRecord>
<Action>Removed</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Active Directory</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>User</ObjectType>
<RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3</RID>
<What>Anna.Smith</What>
<When>2017-02-10T10:46:00Z</When>
<Where>dc1.enterprise.local</Where>
<Who>Enterprise\Analyst</Who>
<Workstation>172.28.6.15</Workstation>
</ActivityRecord>

l JSON:
{
"Action": "Added",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource" : "File Servers",
"Item": {"Name": "wks.enterprise.local (Computer)"},
"ObjectType": "Folder",
"RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3",
"What": "Annual_Reports",
"When": "2017-02-10T14:46:00Z",
"Where": "wks.enterprise.local",
"Who": "Enterprise\\Admin"

37/72
Netwrix Auditor Integration API Guide

9. Post Data

Filters Matching Activity Records

},
{
"Action": "Removed",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "Active Directory",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType": "User",
"RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3",
"What": "Anna.Smith",
"When": "2017-02-10T10:46:00Z",
"Where": "dc1.enterprise.local",
"Who": "Enterprise\\Analyst",
"Workstation": "172.28.6.15"
}

l XML: Retrieves all activity records for all data sources and users
<When> within a specified data range:
<LastSevenDays/>
l January 16, 2017 — February 1, 2017
</When>
<When> l March 11, 2017 — March 17, 2017 (assume, today is
<From> March, 17).
2017-01-16T16:30:00Z
</From>
<To>
l XML:
2017-02-01T00:00:00Z
</To> <ActivityRecord>
</When> <Action>Modified</Action>
<MonitoringPlna>My Cloud</MonitoringPlan>
l JSON: <MonitoringPlan>
"When" : [ <ID>{42F64379-163E-4A43-A9C5-4514C5A23701}</ID>

{"LastSevenDays" : ""}, <Name>My Cloud</Name>

</MonitoringPlan>
{
<DataSource>Exchange Online</DataSource>
"From" : "2017-01-
16T16:30:00Z", <Item>
<Name>[email protected] (Office 365 tenant)</Name>
"To" : "2017-02-01T00:00:00Z"
</Item>
}
<ObjectType>Mailbox</ObjectType>
]
<RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID>
<What>Shared Mailbox</What>
<When>2017-03-17T09:37:11Z</When>
<Where>BLUPR05MB1940</Where>
<Who>[email protected]</Who>
</ActivityRecord>
<ActivityRecord>
<Action>Successful Logon</Action>

38/72
Netwrix Auditor Integration API Guide

9. Post Data

Filters Matching Activity Records

<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Logon Activity</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>Logon</ObjectType>
<RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID>
<What>stationexchange.enterprise.local</What>
<When>2017-02-17T09:28:35Z</When>
<Where>enterprisedc1.enterprise.local</Where>
<Who>ENTERPRISE\Administrator</Who>
<Workstation>stwin12R2.enterprise.local</Workstation>
</ActivityRecord>

l JSON:
{
"Action" : "Modified",
"MonitoringPlan" : "My Cloud",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23701}",
"Name": "My Cloud"
},
"DataSource": "Exchange Online",
"Item": {
"Name": "[email protected] (Office 365 tenant)"
},
"ObjectType" : "Mailbox",
"RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A",
"What" : "Shared Mailbox",
"When" : "2017-03-17T09:37:11Z",
"Where" : "BLUPR05MB1940",
"Who" : "[email protected]"
},
{
"Action" : "Successful Logon",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "Logon Activity",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType": "Logon",
"RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7",
"What" : "stationexchange.enterprise.local",
"When" : "2017-02-17T09:28:35Z",

39/72
Netwrix Auditor Integration API Guide

9. Post Data

Filters Matching Activity Records

"Where" : "enterprisedc1.enterprise.local",
"Who" : "ENTERPRISE\\Administrator",
"Workstation" : "stwin12R2.enterprise.local"
}

l XML: Retrieves all activity records for Logon Activity data source
<DataSource> irrespective of who made logon attempt and when it was
Logon Activity made.
</DataSource> l XML:
l JSON: <ActivityRecord>
<Action>Successful Logon</Action>
"DataSource" : "Logon Activity"
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Logon Activity</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>Logon</ObjectType>
<RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID>
<What>stationexchange.enterprise.local</What>
<When>2017-02-17T09:28:35Z</When>
<Where>enterprisedc1.enterprise.local</Where>
<Who>ENTERPRISE\Administrator</Who>
<Workstation>stwin12R2.enterprise.local</Workstation>
</ActivityRecord>
<ActivityRecord>
<Action>Successful Logon</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Logon Activity</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>Logon</ObjectType>
<RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID>
<What>stationwin12r2.enterprise.local</What>
<When>2017-02-17T09:37:11Z</When>
<Where>enterprisedc2.enterprise.local</Where>
<Who>ENTERPRISE\Analyst</Who>
<Workstation>stwin12R2.enterprise.local</Workstation>
</ActivityRecord>

l JSON:

40/72
Netwrix Auditor Integration API Guide

9. Post Data

Filters Matching Activity Records

{
"Action" : "Successful Logon",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "Logon Activity",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType" : "Logon",
"RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7",
"What" : "stationexchange.enterprise.local",
"When" : "2017-02-17T09:28:35Z",
"Where" : "enterprisedc1.enterprise.local",
"Who" : "ENTERPRISE\\Administrator",
"Workstation" : "stwin12R2.enterprise.local"
},
{
"Action" : "Successful Logon",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "Logon Activity",
"Item": {"Name": "enterprise.local (Domain)"},
"ObjectType" : "Logon",
"RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A",
"What" : "stationwin12r2.enterprise.local",
"When" : "2017-02-17T09:37:11Z",
"Where" : "enterprisedc2.enterprise.local",
"Who" : "ENTERPRISE\\Analyst",
"Workstation" : "stwin12R2.enterprise.local"
}

9.2.3.1. Filters
Review the table below to learn more about filters. The filters correspond to Activity Record fields.

Filter Description Supported Operators

RID Activity Record ID. Limits your search to a unique key of l Contains (default)
the Activity Record. l DoesNotContain
Max length: 49. l Equals
l NotEqualTo
l StartsWith
l EndsWith

41/72
Netwrix Auditor Integration API Guide

9. Post Data

Filter Description Supported Operators

Who Limits your search to a specific user who made the l Contains (default)
change (e.g., Enterprise\ Administrator, l DoesNotContain
[email protected] ).
l Equals
Max length: 255. l NotEqualTo
l StartsWith
l EndsWith
l InGroup
l NotInGroup

Where Limits your search to a resource where the change was l Contains (default)
made (e.g., Enterprise-SQL, FileStorage.enterprise.local). l DoesNotContain
The resource name can be a FQDN or NETBIOS server l Equals
name, Active Directory domain or container, SQL Server l NotEqualTo
instance, SharePoint farm, VMware host, etc. l StartsWith
Max length: 255. l EndsWith

ObjectType Limits your search to objects of a specific type only (e.g., l Contains (default)
user). l DoesNotContain
Max length: 255. l Equals
l NotEqualTo
l StartsWith
l EndsWith

What Limits your search to a specific object that was changed l Contains (default)
(e.g., NewPolicy) . l DoesNotContain
Max length: 1073741822. l Equals
l NotEqualTo
l StartsWith
l EndsWith

DataSource Limits your search to the selected data source only (e.g., l Contains (default)
Active Directory). l DoesNotContain
Max length: 1073741822. l Equals
l NotEqualTo
l StartsWith
l EndsWith

42/72
Netwrix Auditor Integration API Guide

9. Post Data

Filter Description Supported Operators

Monitoring Limits your search to a specific monitoring plan —Netwrix l Contains (default)
Plan Auditor object that governs data collection. l DoesNotContain
Max length: 255. l Equals
l NotEqualTo
l StartsWith
l EndsWith

Item Limits your search to a specific item— object of l Contains (default)

monitoring—and its type provided in brackets. l DoesNotContain
The following item types are available: l Equals
l NotEqualTo
l AD container l NetApp
l StartsWith
l Computer l Office 365 tenant
l EndsWith
l Domain l Oracle Database instance
l EMC Isilon l SharePoint farm
l EMC VNX/VNXe l SQL Server instance
l Integration l VMware ESX/ESXi/vCenter
l IP range l Windows file share

Max length: 1073741822.

Workstation Limits your search to an originating workstation from l Contains (default)

which the change was made (e.g., l DoesNotContain
WKSwin12.enterprise.local).
l Equals
Max length: 1073741822. l NotEqualTo
l StartsWith
l EndsWith

Detail Limits your search results to entries that contain the l Contains (default)
specified information in Detail . Normally contains l DoesNotContain
information specific to your data source, e.g., assigned
l Equals
permissions, before and after values, start and end dates.
l NotEqualTo
This filter can be helpful when you are looking for a l StartsWith
unique entry.
l EndsWith
Max length: 1073741822.

Before Limits your search results to entries that contain the l Contains (default)
specified before value in Detail. l DoesNotContain
Max length: 536870911. l Equals

43/72
Netwrix Auditor Integration API Guide

9. Post Data

Filter Description Supported Operators

l NotEqualTo
l StartsWith
l EndsWith

After Limits your search results to entries that contain the

l Contains (default)
specified after value in the Detail.
l DoesNotContain
Max length: 536870911. l Equals
l NotEqualTo
l StartsWith
l EndsWith

Action Limits your search results to certain actions: l Equals (default)

l Added l Add (Failed Attempt) l NotEqualTo

l Removed l Remove (Failed Attempt)

l Modified l Modify (Failed Attempt)
l Read l Read (Failed Attempt)
l Moved l Move (Failed Attempt)
l Renamed l Rename (Failed Attempt)
l Checked in l Checked out
l Discard check out l Successful Logon
l Failed Logon l Logoff
l Copied l Sent
l Session start l Session end
l Activated

When Limits your search to a specified time range. 1. Equals (default)

Netwrix Auditor supports the following for the When 2. NotEqualTo

filter:
3. Within timeframe:
l Use Equals (default operator) or NotEqualTo
operator l Today
l Yesterday
l To specify time interval, use Within timeframe
l LastSevenDays
with one of the enumerated values (Today,
l LastThirtyDays
Yesterday, etc.), and/or values in the To and From.
l Equals (default)
To and From support the following date time formats:
l NotEqualTo
l YYYY- mm- ddTHH:MM:SSZ — Indicates UTC time
2. From..To interval
(zero offset)

44/72
Netwrix Auditor Integration API Guide

9. Post Data

Filter Description Supported Operators

l YYYY-mm-ddTHH:MM:SS+HH:MM—Indicates time
zones ahead of UTC (positive offset)

l YYYY-mm-ddTHH:MM:SS-HH:MM —Indicates time

zones behind UTC (negative offset)

WorkingHours Limits your search to the specified working hours. You l "From..To" interval
can track activity outside the business hours applying the l Equals (default)
NotEqualTo operator.
l NotEqualTo
To and From support the following date time formats:

l YYYY- mm- ddTHH:MM:SSZ — Indicates UTC time

(zero offset)

l YYYY-mm-ddTHH:MM:SS+HH:MM—Indicates time
zones ahead of UTC (positive offset)

l YYYY-mm-ddTHH:MM:SS-HH:MM —Indicates time

zones behind UTC (negative offset)

9.2.3.2. Operators
Review the table below to learn more about operators.

Operator Description Example

Contains This operator shows all If you set the Who filter to contains John, you will get
entries that contain a the following results: Domain1\John, Domain1\Johnson,
value specified in the Domain2\Johnny, [email protected] .
filter.

Equals This operator shows all Use this operator if you want to get precise results, e.g.,
entries with the exact \\FS\Share\NewPolicy.docx.
value specified. Make
sure to provide a full
object name or path.

NotEqualTo This operator shows all If you set the Who filter to NotEqualTo Domain1\John,
entries except those with you will exclude the exact user specified and find all
the exact value specified. changes performed by other users, e.g.,
Domain1\Johnson, Domain2\John.

StartsWith This operator shows all If you set the Who filter to StartsWith Domain1\John,
entries that start with the you will find all changes performed by Domain1\John,

45/72
Netwrix Auditor Integration API Guide

9. Post Data

Operator Description Example

specified value. Domain1\Johnson, and Domain1\Johnny.

EndsWith This operator shows all If you set the Who filter to EndsWith John, you will find
entries that end with the all changes performed by Domain1\John,
exact specified value. Domain2\Dr.John, Domain3\John.

DoesNotContain This operator shows all If you set the Who filter to DoesNotContain John, you
entries except those that will exclude the following users: Domain1\John,
contain the specified Domain2\Johnson, and [email protected] .
value.

InGroup This operator relates to If you set the InGroup condition for Who filter to
the Who filter. It instructs Domain\Administrators , only the data for the accounts
Netwrix Auditor to show included in that group will be displayed.
only data for the
accounts included in the
specified group.

NotInGroup This operator relates to If you set the NotInGroup condition for Who filter to
the Who filter. In Domain\Administrators , only the data for the accounts
instructs Netwrix Auditor not included in that group will be displayed.
to show only data for the
accounts not included in
the specified group.

9.3. Activity Records

In Netwrix terms, one operable chunk of information is called the Activity Record. Netwrix Auditor
Integration API processes both XML and JSON Activity Records. The Activity Records have the format
similar to the following—the exact schema depends on operation (input or output).

Format Example

XML <?xml version="1.0" encoding="UTF-8" ?>

<ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
<ActivityRecord>
<Who>Who</Who>
<ObjectType>Object Type</ObjectType>
<Action>Action</Action>
<What>What</What>
<When>When</When>
<Where>Where</Where>
<MonitoringPlan>

46/72
Netwrix Auditor Integration API Guide

9. Post Data

Format Example

<ID>Unique ID</ID>
<Name>Name</Name>
</MonitoringPlan>
<DataSource>Data source</DataSource>
<Item>
<Name>Item name (Item type)</Name>
</Item>
<DetailList>
<Detail>
<Before>Before Value</Before>
<After>After Value</After>
<PropertyName>Property</PropertyName>
<Message>Text</Message>
</Detail>
</DetailList>
</ActivityRecord>
<ActivityRecord>...</ActivityRecord>
</ActivityRecordList>

JSON [
{
"Action": "Action",
"MonitoringPlan": {
"ID": "Unique ID",
"Name": "Name"
},
"DataSource": "Data source",
"Item": {"Name": "Item name (Item type)"},
"DetailList": [
{
"Before": "Before Value",
"After": "After Value",
"PropertyName": "Property",
"Message": "Text"
}
],
"ObjectType": "Object Type",
"What": "What",
"When": "When",
"Where": "Where",
"Who": "Who"
},
{...}
]

To feed data from a custom audit source to Netwrix Auditor, send a POST request containing Activity
Records. See Write Activity Records for more information.

47/72
Netwrix Auditor Integration API Guide

9. Post Data

9.3.1. Schema
The Activity Records you want to feed to Netwrix Auditor must be compatible with input schema. The
output schema resembles the input schema and can be used to validate Activity Records returned
by Netwrix Auditor before further data parsing.

Format Schema description

XML The file must be compatible with the XML schema. On the computer where Netwrix Auditor
Server resides, you can find XSD file under Netwrix_Auditor_installation_folder\Audit Core\API
Schemas.

The ActivityRecordList root element includes the ActivityRecord elements. Each

ActivityRecord contains values in the Who , When , Where , etc. fields. The
MonitoringPlan element contains sub- elements such as Name and ID , the Item
element contains Name . Both MonitoringPlan and Item are optional for input Activity
Records. The DetailList element is optional too, it may include one or more Detail
entries. The Detail element may contain sub-elements with values (e.g., before and after
values). For input Activity Records, the data source is automatically set to Netwrix API.

NOTE: minOccurs="0" indicates that element is optional and may be absent when writing
data to the Audit Database.

JSON Activity Records are sent as an array collected within square brackets [ ]. Each
ActivityRecord object is collected in braces {} and contains values in the Who , When ,
Where , etc. fields. The DetailList field is not mandatory, it may include one or more
detail. The Detail field may contain sub-fields with values (e.g., before and after values).
For input Activity Records, the data source is automatically set to Netwrix API.

9.3.2. Example
The examples below show an output Activity Record.

XML

<?xml version="1.0" encoding="UTF-8" ?>

<ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
<ActivityRecord>
<Action>Modified</Action>
<MonitoringPlan>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
<Name>Compliance</Name>
</MonitoringPlan>
<DataSource>Exchange Online</DataSource>
<Item>
<Name>[email protected] (Office 365 tenant)</Name>

48/72
Netwrix Auditor Integration API Guide

9. Post Data

</Item>
<ObjectType>Mailbox</ObjectType>
<What>Shared Mailbox</What>
<When>2017-03-17T09:37:11Z</When>
<Where>BLUPR05MB1940</Where>
<Who>[email protected]</Who>
<DetailList>
<Detail>
<Before>1</Before>
<After>2</After>
<PropertyName>Custom_attribute</PropertyName>
</Detail>
</DetailList>
</ActivityRecord>
</ActivityRecordList>

JSON

[
{
"Action": "Modified",
"MonitoringPlan": {
"ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}",
"Name": "Compliance"
},
"DataSource": "Exchange Online",
"Item": {"Name": "[email protected] (Office 365 tenant)"},
"ObjectType": "Mailbox",
"What": "Shared Mailbox",
"When": "2017-03-17T09:37:11Z",
"Where": "BLUPR05MB1940",
"Who": "[email protected]",
"DetailList": [
{
"PropertyName": "Custom_Attribute",
"Before": "1",
"After": "2"
}
]
}
]

9.3.3. Reference for Creating Activity Records

The table below describes Activity Record elements.

49/72
Netwrix Auditor Integration API Guide

9. Post Data

NOTE: Netwrix recommends limiting the input Activity Records file to 50MB and maximum 1,000 Activity
Records.

Element Mandatory Datatype Description

Activity Record main elements

RID No string RID is a unique key of the Activity Record.

The identifier is created automatically when you write an

Activity Record to the Audit Database. RID is included in
output Activity Records only.

Who Yes nvarchar A specific user who made the change (e.g., Enterprise\
255 Administrator, [email protected] ).

Action Yes — Activity captured by Netwrix Auditor (varies depending on

the data source):

l Added l Add (Failed Attempt)

l Removed l Remove (Failed Attempt)
l Modified l Modify (Failed Attempt)
l Read l Read (Failed Attempt)
l Moved l Move (Failed Attempt)
l Renamed l Rename (Failed Attempt)
l Checked in l Checked out
l Discard check out l Successful Logon
l Failed Logon l Logoff
l Copied l Sent
l Session start l Session end
l Activated

What Yes nvarchar A specific object that was changed (e.g., NewPolicy).
max

When Yes dateTime The moment when the change occurred. When supports
the following datetime formats:

l YYYY- mm- ddTHH:MM:SSZ — Indicates UTC time

(zero offset)

l YYYY-mm-ddTHH:MM:SS+HH:MM—Indicates time
zones ahead of UTC (positive offset)

l YYYY-mm-ddTHH:MM:SS-HH:MM —Indicates time

zones behind UTC (negative offset)

50/72
Netwrix Auditor Integration API Guide

9. Post Data

Element Mandatory Datatype Description

Where Yes nvarchar A resource where the change was made (e.g., Enterprise-
255 SQL , FileStorage.enterprise.local ). The resource name can
be a FQDN or NETBIOS server name, Active Directory
domain or container, SQL Server instance, SharePoint
farm, VMware host, etc.

ObjectType Yes nvarchar An type of affected object or its class (e.g., user, mailbox).
255

Monitoring No nvarchar The Netwrix Auditor object that responsible for

Plan 255 monitoring of a given data source and item.

Sub-elements: Name and ID.

NOTE: If you provide a monitoring plan name for input

Activity Records, make sure the plan is created in
Netwrix Auditor, the Netwrix API data source is
added to the plan and enabled for monitoring. In
this case, data will be written to the database
associated with this plan.

DataSource No nvarchar IT infrastructure monitored with Netwrix Auditor (e.g.,

max Active Directory).

For input Activity Records, the data source is

automatically set to Netwrix API.

Item No nvarchar The exact object that is monitored (e.g., a domain name,
max SharePoint farm name) or integration name.

Sub-element: Name.

The item type is added inside the name value in brackets

(e.g., enterprise.local (Domain)). For input Activity Records,
the type is automatically set to Integration , you do not
need to provide it. The output Activity Records may
contain the following item types depending on the
monitoring plan configuration:

l AD container l NetApp
l Computer l Office 365 tenant
l Domain l Oracle Database instance
l EMC Isilon l SharePoint farm
l EMC VNX/VNXe l SQL Server instance

51/72
Netwrix Auditor Integration API Guide

9. Post Data

Element Mandatory Datatype Description

l Integration l VMware ESX/ESXi/vCenter

l IP range l Windows file share

NOTE: If you provide an item name for input Activity

Records, make sure this item is included in the
monitoring plan within the Netwrix API data
source. If you specify an item that does not exist,
data will be written to the plan's database anyway
but will not be available for search using the Item
filter.

Workstation No nvarchar An originating workstation from which the change was

max made (e.g., WKSwin12.enterprise.local).

IsArchiveOnly No — IsArchiveOnly allows to save Activity Record to the Long-

Term Archive only. In this case, these Activity Records will
not be available for search in the Netwrix Auditor client.

DetailList No — Information specific to the data source, e.g., assigned

permissions, before and after values, start and end dates.
References details.

Detail sub-elements (provided that DetailList exists)

PropertyName Yes nvarchar The name of a modified property.

255

Message No string Object-specific details about the change.

Message is included in output Activity Records only.

Before No ntext The previous value of the modified property.

After No ntext The new value of the modified property.

52/72
Netwrix Auditor Integration API Guide

10. Response Status Codes

Code Status Write Activity Records Retrieve, search Activity Records

200 OK Success Success. The body is empty. Success. The body contains Activity
Records.
Activity Records were written to the
Audit Database and the Long-Term Activity Records were retrieved from
Archive. the Audit Database.

400 Bad Error Error validating Activity Records. Error validating request parameters
Request or post data.
Make sure the Activity Records are
compatible with Activity Records Make sure the post data files
(Continuation mark, Search
parameters) are compatible with
their schemas and the ?count=
parameter is valid.

401 Error The request is unauthorized. The body is empty. See Authentication for
Unauthorized more information.

404 Not Error Error addressing the endpoint. The body is empty. The requested endpoint
Found does not exist (e.g., /netwrix/api/v1/mynewendpoint/).

405 Method Error Error addressing the endpoint. The Error addressing the endpoint. The
Not Allowed body is empty. Wrong HTTP request body is empty. Wrong HTTP request
was sent (any except POST). was sent (any except GET or POST).

413 Request Error Error transferring files. The body is empty. The posted file exceeds
Entity Too supported size.
Large

500 Internal Error Error writing Activity Records to the Error retrieving Activity Records
Server Error Audit Database or the Long- Term from the Audit Database:
Archive:
l Netwrix Auditorlicense has
l One or more Activity Records expired.
were not processed.
l The Netwrix Auditor Archive
l Netwrix Auditor license has Service is unreachable. Try
expired. restarting the service on the
computer that hosts Netwrix
l Internal error occurred.
Auditor Server.

l Internal error occurred.

53/72
Netwrix Auditor Integration API Guide

10. Response Status Codes

Code Status Write Activity Records Retrieve, search Activity Records

503 Service Error The Netwrix Auditor Archive —

Unavailable Service is busy or unreachable. Try
restarting the service on the
computer that hosts Netwrix
Auditor Server.

NOTE: Most failed requests contain error in the response body (except those with empty body, e.g., 404,
405). See Error Details for more information.

10.1. Error Details

On error, most requests contain an error description in the response body (except some requests with
empty body, e.g., 404, 405). See Response Status Codes for more information.

The error details include:

Block Description

Category Defines the type of error (XML formatting-related error, invalid input-related error, etc.)

Description Provides details about this error.

Location (optional) Provides a link to a corrupted text in request.

NOTE: XML is considered a default format for Netwrix Auditor Integration API. Error
location is defined in XML format.

The error details have the format similar to the following:

Format Example

XML <?xml version="1.0" encoding="UTF-8" ?>

<ErrorList xmlns="http://schemas.netwrix.com/api/v1/">
<Error>
<Category>Category</Category>
<Description>Error Description</Description>
<Location>Error Location</Location>
</Error>
</ErrorList>

JSON {
"ErrorList": [
{
"Category": "Category",

54/72
Netwrix Auditor Integration API Guide

10. Response Status Codes

Format Example

"Description": "Error Description",

"Location": "Error Location"
}
]
}

Review examples below to see how error details correspond to invalid requests.

Request Error details returned

Invalid request: 400 Bad Request

XML: l XML:
curl -H "Content-Type: <?xml version="1.0" encoding="UTF-8" ?>
application/xml; Charset=UTF-8" <ErrorList xmlns="http://schemas.netwrix.com/api/v1/">
https://WKSWin12R2:9699/ <Error>
netwrix/api/v1/activity_ <Category>XMLError</Category>
records/search -u Enterprise\ <Description>0xC00CE56D End tag 'FilterList'
NetwrixUser:NetwrixIsCool --data- does not match the start tag 'DataSource'

binary @C:\APIdocs\Search.xml </Description>

</Error>
<?xml version="1.0" encoding="utf-8"?> </ErrorList>
<ActivityRecordSearch xmlns="http://schemas.
netwrix.com/api/v1/activity_records/"> l JSON:
<FilterList>
<Who>Administrator</Who>
NOTE: If JSON is corrupted, server returns 500 Internal
<DataSource>Active Directory
Server Error with empty body.
<Action>Modified</Action>
</FilterList>
</ActivityRecordSearch>

l JSON:

curl -H "Content-Type:
application/json; Charset=UTF-8"
https://WKSWin12R2:9699/
netwrix/api/v1/activity_
records/search?format=json -u
Enterprise\NetwrixUser:
NetwrixIsCool --data-binary
@C:\APIdocs\Search.json
{
"FilterList": {
"Who": "Administrator",
"DataSource": "Active Directory
"Action": "Added"
}
}

55/72
Netwrix Auditor Integration API Guide

10. Response Status Codes

Request Error details returned

Invalid request: 400 Bad Request

l XML: l XML:
curl https://WKSWin12R2:9699/ <?xml version="1.0" encoding="UTF-8" ?>
netwrix/api/v1/activity_records/ <ErrorList xmlns="http://schemas.netwrix.com/api/v1/">
<Error>
enum?count=FIVE -u Enterprise\
NetwrixUser:NetwrixIsCool <Category>InputError</Category>
<Description>Invalid count parameter specified.
l JSON: Error details: 0x80040204 Cannot convert the
attribute data type
curl https://WKSWin12R2:9699/ </Description>
netwrix/api/v1/activity_records/ </Error>
enum?format=json&count=FIVE -u </ErrorList>
Enterprise\NetwrixUser:
NetwrixIsCool l JSON:
{
"ErrorList": [
{
"Category": "InputError",
"Description": "Invalid count parameter specified.
Error details: 0x80040204 Cannot convert the
attribute data type"
}
]
}

Valid request, but the Audit Database is 500 Internal Server Error
unreachable:
l XML:
l XML: <?xml version="1.0" encoding="UTF-8" ?>
curl https://WKSWin12R2:9699/ <ErrorList xmlns="http://schemas.netwrix.com/api/v1/">
netwrix/api/v1/activity_ <Error>
records/enum -u Enterprise\ <Category>ServerError</Category>
NetwrixUser:NetwrixIsCool <Description>0x80040C0A SQL Server cannot be
contacted, connection is lost (0x80040C0A SQL
l JSON: Server cannot be contacted, connection is lost
(0x80004005 [DBNETLIB][ConnectionOpen (Connect()).
curl https://WKSWin12R2:9699/ ]SQL Server does not exist or access denied.))
netwrix/api/v1/activity_ [0x00007FFDCC06BBC8,0x00007FFDB99EF4BA;
0x00007FFDB99BEEEF,0x00007FFDB99EF4DC]
records/enum?format=json -u
</Description>
Enterprise\NetwrixUser:
</Error>
NetwrixIsCool
</ErrorList>

l JSON:
{
"ErrorList": [
{
"Category": "ServerError",

56/72
Netwrix Auditor Integration API Guide

10. Response Status Codes

Request Error details returned

"Description": "0x80040C0A SQL Server cannot be

contacted, connection is lost (0x80040C0A SQL
Server cannot be contacted, connection is lost
(0x80004005 [DBNETLIB][ConnectionOpen (Connect()).
]SQL Server does not exist or access denied.))
[0x00007FFDCC06BBC8,0x00007FFDB99EF4BA;
0x00007FFDB99BEEEF,0x00007FFDB99EF4DC]"
}
]
}

57/72
Netwrix Auditor Integration API Guide

11. Add-Ons

11. Add-Ons
The Netwrix Auditor Add-on Store contains free add-ons developed by Netwrix Corp. and your peers in the
community. The add-ons help you leverage integration between your on-premises or cloud applications
and Netwrix Auditor.

The list of available add-ons keeps growing because with the new RESTful API, the integration capabilities of
Netwrix Auditor are unlimited. Netwrix encourages users to develop add-ons, upload them to Netwrix
website, and share with community.

Benefits:

l Centralize auditing and reporting of your IT environment—Netwrix Auditor unifies auditing of all IT
systems across your on-premises, cloud or hybrid environment, and enables centralized reporting for
security and compliance.

l Get the most from your SIEM investment—To maximize SIEM value, Netwrix Auditor increases the
signal-to-noise ratio and feeds your HP ArcSight, Splunk, IBM QRadar or any other SIEM solution with
much more granular audit data.

l Automate your IT workflows—Automate and improve your change management, service desk and
other critical IT workflows by feeding them audit data from Netwrix Auditor.

Review the following for additional information:

l Available Add-Ons

l Use Add-Ons

11.1. Available Add-Ons

At the time of Netwrix Auditor 9.8 release, the following add-ons were verified and posted in Add-ons Store.

Name Technology Data in/out Description

Add-on for Amazon Web PowerShell In Exports user activity data from your Amazon
Services Web Services using CloudTrail and feeds events
to the Audit Database. Use this script if you
want to get more out of native Amazon
auditing.

CEF Export Add-on PowerShell Out Exports Activity Records from the Audit
Database to a CEF file. Use this script to
integrate data collected by Netwrix Auditor
with SIEM solutions that use CEF files as input
data.

58/72
Netwrix Auditor Integration API Guide

11. Add-Ons

Name Technology Data in/out Description

Event Log Export Add-on PowerShell Out Exports Activity Records from the Audit
Database to a custom Windows event log—
Netwrix_Auditor_Integration. Use this script to
integrate data collected by Netwrix Auditor
with SIEM solutions that use events as input
data.

Starting with Netwrix Auditor 9.8, this add-on

provides a universal solution for integration
with the following SIEM systems:

1. Splunk

2. IBM QRadar

3. AlienVault USM

4. Solarwinds Log & Event Manager

5. Intel Security

6. LogRhythm

Add-on for ArcSight PowerShell Out Exports Activity Records from the Audit
Database to ArcSight in its native CEF format.
Use this script to integrate Netwrix Auditor with
ArcSight and extend auditing possibilities.

Add-on for RADIUS PowerShell In Exports RADIUS logon events from the Security
server event log and feeds them to the Audit
Database. Use this script to track logon activity
on servers with RADIUS protocol enabled.

The add-on works in collaboration with Netwrix

Auditor for Active Directory, collecting
additional data that augments the data
collected by Netwrix Auditor. Aggregating data
into a single audit trail simplifies logon activity
analysis and helps you keep tabs on your IT
infrastructure.

Add-on for Splunk PowerShell Out Exports Activity Records from the Audit
Database to a custom Windows event log. Use
this script to integrate Netwrix Auditor with
Splunk and extend auditing possibilities.

Add-on for Nutanix Files C# In Implemented as a service, the add-on listens to

59/72
Netwrix Auditor Integration API Guide

11. Add-Ons

Name Technology Data in/out Description

TCP port and feeds events to the Audit

Database. Use this add- on if you want to
include file operations on the Nutanix Files
storage system in your audit trail.

Add-on for Generic Linux C# In Implemented as a service, the add-on listens to

Syslog UDP port and feeds events from Syslog-based
devices to the Audit Database. The add- on
comes with processing rules for rsyslog
messages. Use this add- on if you want to
include Red Hat Enterprise Linux 7 and 6, SUSE
Linux Enterprise Server 12, openSUSE 42, and
Ubuntu 16, etc., activity in your audit trail.

Add-on for Privileged C# In Implemented as a service, the add-on listens to

User Monitoring on UDP port and feeds events from Syslog-based
Linux and Unix devices to the Audit Database. The add- on
comes with processing rules for rsyslog
messages. Use this add-on if you want to detect
SUDO commands and remote access (SSH) on
Red Hat Enterprise Linux 7 and 6, SUSE Linux
Enterprise Server 12, openSUSE 42, and Ubuntu
16, etc.

Add-on for ServiceNow C# Out Implemented as a service, the add-on facilitates

Incident Management data transition from Netwrix Auditor and
automates ticket creation in ServiceNow
Istanbul and Helsinki.

Netwrix Auditor Integration API uses HTTPS with an automatically generated certificate for running
requests to its endpoints. By default, add-ons are configured to accept all certificates that is appropriate for
evaluation purposes and allows running the script without adjusting.

Refer to Security for detailed instructions on how to assign a new certificate and enable trust on remote
computers.

11.2. Use Add-Ons

To use the add-on

1. Check prerequisites. Since the add-ons work only in combination with Netwrix Auditor, make sure the
product and its Audit Database are configured, roles are assigned in the product. Some add-ons may
require additional components to be installed in your system or options configured.

60/72
Netwrix Auditor Integration API Guide

11. Add-Ons

2. Define parameters. Before running or scheduling the add-on, you must define connection details:
Netwrix Auditor Server host, user credentials, etc. You can skip or define parameters depending on
your add-on, execution scenario, and security policies.

3. Choose appropriate execution scenario. Select where and who is going to execute the add-on.

4. Run the PowerShell-based add-on from a command line. Start Windows PowerShell and provide
parameters. First, provide a path to your add-on followed by script parameters with their values. Each
parameter is preceded with a dash; a space separates a parameter name from its value. You can skip
some parameters— the script uses a default value unless a parameter is explicitly defined. If
necessary, modify the parameters as required.

For add-ons implemented as a service, run the installation file that will deploy and start the service.

5. Review the results. For add-ons that import data to the Audit Database, search Activity Records in the
Netwrix Auditor client. For example:

6. For PowerShell-based add-ons, schedule a daily task to ensure your audit data is always up-to-date.

Netwrix creates quick- start guides to help you incorporate add- ons in your daily routine. Each guide
contains detailed instructions for running the add-on.

61/72
Netwrix Auditor Integration API Guide

12. IIS Forwarding

NOTE: While you can configure forwarding from any web server, this guide covers IIS configuration
procedure only.

You can create a website in IIS and use it as a proxy for forwarding API requests. This is handy if for security
reasons you do not want to make the Netwrix Auditor Server host name or address public. In this case, you
can create a website with a short and user-friendly name and configure it to redirect requests to a server
that hosts Netwrix Auditor Server and actually processes RESTful API requests. You can also configure
authentication and authorization on IIS side.

For example, instead of addressing requests to https://172.28.6.15:9699/netwrix/api/v1/

activity_ records/enum endpoint, you can send them to https://enterprisewks/
integrationAPI/activity_records/enum.

12.1. Configure IIS Forwarding

NOTE: The procedure below applies to IIS 8.5 integrated with Windows Server 2012 R2.

1. Make sure the Web Server role is installed on your server. Install the following components:

l Application Request Routing

l URL Rewrite

2. Create IIS website. To do this, navigate to Start → Windows Administrative Tools (Windows Server
2016) or Administrative Tools (Windows 2012 R2 and below) → Internet Information Services (IIS)
Manager. In the left, expand your_computer_name → Sites and select Add Website in the Actions
pane. Create a website and configure authentication if necessary.

62/72
Netwrix Auditor Integration API Guide

12. IIS Forwarding

3. In your site settings, double-click URL Rewrite and select Add Rule(s).

4. In the Add Rule(s) dialog, select Reverse Proxy . Select OK when prompted to enable Application
Request Routing and proceed further.

5. In the Add Reverse Proxy Rules dialog that opens, provide a Netwrix Auditor Server host name or
IP address.

63/72
Netwrix Auditor Integration API Guide

12. IIS Forwarding

6. Edit the newly created inbound rule.

7. On the Edit Inbound Rule page, complete the following fields and click Apply:

Option Set to...

Match URL

Requested URL Matches the Pattern

Using Regular Expressions

Pattern activity_records/(.*)

NOTE: In this case all requests containing "activity_ records" will be

64/72
Netwrix Auditor Integration API Guide

12. IIS Forwarding

Option Set to...

forwarded. For example, https://Enterprise/IntegrationAPI/

activity_records/enum.

Ignore case Checked

Action

Action type Rewrite

Rewrite URL https://host:port/netwrix/api/v1/activity_records/{R:1}

where host:port is the name or IP address of the computer where Netwrix

Auditor Server resides and port opened to communication.

For example:

https://172.28.6.15:9699/netwrix/api/v1/activity_records/{R:1}

Append query string Checked

Log rewritten URL Cleared

Stop processing of Checked

subsequent rules

Now you can send requests to your website that will forward them to proper Netwrix Auditor Integration
API endpoints.

12.2. Usage Example—Forward Requests

The example below describes how to forward requests to another server.

1. Configure forwarding as described above.

2. Retrieve Activity Records from the Audit Database. See Retrieve Activity Records for more
information.

Format Request

XML curl https://172.28.15.126:80/integrationapi/activity_records/

enum -u Enterprise\NetwrixUser:NetwrixIsCool

JSON curl https://172.28.15.126:80/integrationapi/activity_records/

enum?format=json -u Enterprise\NetwrixUser:NetwrixIsCool

3. The request is automatically forwarded to endpoint starting with https://172.28.6.15:9699/

netwrix/api/v1/activity_records/.

65/72
Netwrix Auditor Integration API Guide

12. IIS Forwarding

4. Receive the response. Below is an example of a successful GET request. The status is 200 OK . For
XML, a response body contains the ActivityRecordList root element with Activity Records and a
Continuation mark inside. For JSON, a response body contains the ActivityRecordList array with
Activity Records collected in braces {} and a Continuation mark.

XML

<?xml version="1.0" standalone="yes"?>

<ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/">
<ContinuationMark>PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A</ContinuationMark>
<ActivityRecord>
<MonitoringPlan>
<Name>AD Monitoring</Name>
<ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID>
</MonitoringPlan>
<DataSource>Active Directory</DataSource>
<Item>
<Name>enterprise.local (Domain)</Name>
</Item>
<ObjectType>user</ObjectType>
<RID>20160215110503420B9451771F5964A9EAC0A5F35307EA155</RID>
<What>\local\enterprise\Users\Jason Smith</What>
<Action>Added</Action>
<When>2017-02-14T15:42:34Z</When>
<Where>EnterpriseDC1.enterprise.local</Where>
<Who>ENTERPRISE\Administrator</Who>
<Workstation>EnterpriseDC1.enterprise.local</Workstation>
</ActivityRecord>
<ActivityRecord>...</ActivityRecord>
<ActivityRecord>...</ActivityRecord>
</ActivityRecordList>

JSON

66/72
Netwrix Auditor Integration API Guide

12. IIS Forwarding

"When": "2017-02-14T15:42:34Z",
"Where": "EnterpriseDC1.enterprise.local",
"Who": "ENTERPRISE\\Administrator",
"Workstation": "EnterpriseDC1.enterprise.local"
},
{...},
{...}
],
"ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A"
}

5. Continue retrieving Activity Records. See Usage Example—Retrieve All Activity Records for more
information.

67/72
Netwrix Auditor Integration API Guide

13. Security

13. Security
By default, Netwrix Auditor Integration API uses HTTPS for sending requests to its endpoints. Netwrix
encrypts data with a self-signed automatically generated SSL certificate and strongly recommends you to
replace it with a new secured certificate acquired from any reliable source.

The automatically generated Netwrix Integration API certificate is located in the Personal store. To
enable trust on remote computers, install this certificate in the Trusted Root Certification Authorities
store.

To manage API security settings with APIAdminTool.exe

Netwrix provides a command-line tool for managing Integration API. The tool allows switching between
HTTP and HTTPS, assigning new certificates, etc.

1. On the computer where Netwrix Auditor Server resides, start the Command Prompt and run the
tool. The tool is located in the Netwrix Auditor installation folder , inside the Audit Core folder. For
example:

C:\>cd C:\Program Files (x86)\Netwrix Auditor\Audit Core

C:\Program Files (x86)\Netwrix Auditor\Audit Core>APIAdminTool.exe

2. Execute one of the following commands depending on your task. Review the tips for running the tool:

l Some commands require parameters. Provide parameters with values (parameter= value) if you
want to use non-default. E.g., APIAdminTool.exe api http port= 4431.

68/72
Netwrix Auditor Integration API Guide

13. Security

l Append help to any command to see available parameters and sub-commands. E.g.,
APIAdminTool.exe api help.

To... Execute...

Disable API APIAdminTool.exe api disable

NOTE: This command duplicates the checkbox on the Integrations page in

Netwrix Auditor.

Switch to HTTP APIAdminTool.exe api http

NOTE: Netwrix recommends switching to HTTP only in safe intranet

environments.

To use a non-default port (9699), append a parameter port with value to the
command above (e.g., port= 4431).

Switch to HTTPS APIAdminTool.exe api https

NOTE: Run this command if you want to continue using Netwrix-generated

certificate.

To use a non-default port (9699), append a parameter port with value to the
command above (e.g., port= 4431).

Assign a new SSL APIAdminTool.exe api https certificate

certificate
NOTE: Run this command if you want to apply a new certificate and use it
instead default. You must add a certificate to the store before running
this command.

Provide parameters to specify a certificate:

l For a certificate exported to a file:

l path—Mandatory, defines certificate location.

l store—Optional, defines the store name where certificate is located.

By default, Personal.

For example: APIAdminTool.exe api https certificate path=

C:\SecureCertificate.cef store= Personal

l For a self-signed certificate:

l subject—Mandatory, defines certificate name.

l validFrom—Optional, defines a certificate start date. By default,

today.

l validTo—Optional, defines a certificate expiration date. By default, 5

69/72
Netwrix Auditor Integration API Guide

13. Security

To... Execute...

years after a validFrom date.

For example: APIAdminTool.exe api https certificate

subject= New validTo= 01/01/2021

l For a certificate specified using thumbprint:

l store—Optional, defines the store name where certificate is located.

By default, Personal.

l thumbprint—Mandatory, defines a thumbprint identifier for a

certificate.

For example: APIAdminTool.exe api https certificate

thumbprint= 3478cda8586675e420511dc0fdf59078093eeeda

70/72
Netwrix Auditor Integration API Guide

14. Compatibility Notice

Make sure to check your product version, and then review and update your add-ons and scripts leveraging
Netwrix Auditor Integration API. Download the latest add-on version in the Add-on Store.

Property in 8.0 – 8.5 New property in 9.0 and above

l XML: l XML:
<AuditedSystem></AuditedSystem> <DataSource></DataSource>

l JSON: l JSON:
"AuditedSystem" "DataSource"

l XML: l XML:
<ManagedObject></ManagedObject> <MonitoringPlan>
<Name>Name</Name>
l JSON:
<ID>Unique ID</ID>
"ManagedObject" </MonitoringPlan>

l JSON:
"MonitoringPlan" : {
"ID": "{Unique ID}",
"Name": "Name"
}

NOTE: Now the MonitoringPlan contains two sub-entries: ID

and Name. The ID property is optional and is assigned
automatically by the product.

— l XML:
<Item>
<Name>Item name</Name>
</Item>

l JSON:
"Item": {"Name": "Item name"}

To learn more about input and output Activity Record structure, refer to Activity Records.

71/72
Netwrix Auditor Integration API Guide

Index

Index IIS forwarding 62

Integration 58
/
O
/netwrix/api/v1/activity_records/ 23
Overview 5
/netwrix/api/v1/activity_records/enum 14 , 27
P
/netwrix/api/v1/activity_records/search 18 , 27
POST data 27
A
Proxy 62
Activity Record 46
R
Add-on 58
Redirection 62
Available add-ons 58
Response codes 53
Use 60
RestAPI 8
API prerequisites 10
Retrieve Activity Records 14
Authentication 13
Retrieve next Activity Records 27
C
S
Certificate 68
Search 30
Compatibility 71
Search Actvity Records 18
Continuation Mark 27
Examples 32
D
Search parameters 30
Data in 23
Available filters 41
Data out 14 , 18
Match case operators 45
E
Security 68
Endpoints 12
W
Error codes 53
Web API 8
Error details 54
Write Activity Records 23
F

Filter Activity Records 18 , 30

How it works 6

HTTPS 68

72/72

Wire Rope Users Manual
100% (4)
Wire Rope Users Manual
132 pages
WFM80 User Guide RevC
No ratings yet
WFM80 User Guide RevC
418 pages
Netwrix Change Tracker Datasheet
No ratings yet
Netwrix Change Tracker Datasheet
2 pages
Innova 3100
No ratings yet
Innova 3100
16 pages
Kinematics of Trauma PDF
100% (1)
Kinematics of Trauma PDF
44 pages
Metadata Manager Guide
No ratings yet
Metadata Manager Guide
140 pages
Netwrix Auditor User Guide
No ratings yet
Netwrix Auditor User Guide
60 pages
Netwrix Auditor User Guide
No ratings yet
Netwrix Auditor User Guide
102 pages
Netwrix Auditor Administrator Guide
No ratings yet
Netwrix Auditor Administrator Guide
185 pages
Netwrix Auditor Administrator Guide
No ratings yet
Netwrix Auditor Administrator Guide
227 pages
Netwrix Auditor Installation Configuration Guide
No ratings yet
Netwrix Auditor Installation Configuration Guide
104 pages
Netwrix Auditor Administrator Guide
No ratings yet
Netwrix Auditor Administrator Guide
236 pages
Netwrix Auditor For NetApp Quick Start Guide
No ratings yet
Netwrix Auditor For NetApp Quick Start Guide
31 pages
Netwrix Auditor For Active Directory Quick Start Guide
No ratings yet
Netwrix Auditor For Active Directory Quick Start Guide
31 pages
Netwrix_Auditor_for_Office_365_Quick_Start_Guide
No ratings yet
Netwrix_Auditor_for_Office_365_Quick_Start_Guide
28 pages
Netwrix Auditor Add-On For Splunk Quick Start Guide
No ratings yet
Netwrix Auditor Add-On For Splunk Quick Start Guide
12 pages
Netwrix Auditor Installation Configuration Guide
No ratings yet
Netwrix Auditor Installation Configuration Guide
232 pages
Netwrix Auditor For Office 365 Quick Start Guide
No ratings yet
Netwrix Auditor For Office 365 Quick Start Guide
25 pages
Netwrix Auditor For Exchange: Quick-Start Guide
No ratings yet
Netwrix Auditor For Exchange: Quick-Start Guide
28 pages
Netwrix Auditor: Release Notes
No ratings yet
Netwrix Auditor: Release Notes
14 pages
Netwrix Auditor Installation Configuration Guide
No ratings yet
Netwrix Auditor Installation Configuration Guide
331 pages
Netwrix Auditor: Release Notes
No ratings yet
Netwrix Auditor: Release Notes
16 pages
Netwrix Auditor Installation Configuration Guide
No ratings yet
Netwrix Auditor Installation Configuration Guide
195 pages
Netwrix Auditor Installation Configuration Guide PDF
No ratings yet
Netwrix Auditor Installation Configuration Guide PDF
258 pages
Netwrix Auditor Installation Configuration Guide
No ratings yet
Netwrix Auditor Installation Configuration Guide
182 pages
Netwrix Auditor Installation Configuration Guide
No ratings yet
Netwrix Auditor Installation Configuration Guide
316 pages
Netwrix Auditor Installation Configuration Guide
No ratings yet
Netwrix Auditor Installation Configuration Guide
202 pages
Netwrix Auditor For Windows File Servers: Quick-Start Guide
No ratings yet
Netwrix Auditor For Windows File Servers: Quick-Start Guide
24 pages
Netwrix Auditor: Release Notes
No ratings yet
Netwrix Auditor: Release Notes
14 pages
Netrix Auditor For VMware
No ratings yet
Netrix Auditor For VMware
26 pages
Product Release Matrix
No ratings yet
Product Release Matrix
3 pages
Netwrix Auditor Data Discovery and Classification Quick Start Guide
No ratings yet
Netwrix Auditor Data Discovery and Classification Quick Start Guide
39 pages
Netwrix Auditor For VMware Quick Start Guide
No ratings yet
Netwrix Auditor For VMware Quick Start Guide
23 pages
UBA Best Practices Guide
No ratings yet
UBA Best Practices Guide
1 page
UBA Best Practices Guide PDF
No ratings yet
UBA Best Practices Guide PDF
1 page
E-Book Secure The Intellectual Property of Your Industrial Organization With Netwrix Auditor
No ratings yet
E-Book Secure The Intellectual Property of Your Industrial Organization With Netwrix Auditor
19 pages
DX 1053 PartnersPortalGuide en
No ratings yet
DX 1053 PartnersPortalGuide en
39 pages
Datasheet - Netwrix Auditor For Network Devices
No ratings yet
Datasheet - Netwrix Auditor For Network Devices
2 pages
Dokumen - Tips - Isoiec 27001 Controls Solutions Isoiec 27001 Controls and Netwrix Auditor
No ratings yet
Dokumen - Tips - Isoiec 27001 Controls Solutions Isoiec 27001 Controls and Netwrix Auditor
26 pages
Webinar 2550 Slides
No ratings yet
Webinar 2550 Slides
10 pages
IGA_Datasheet
No ratings yet
IGA_Datasheet
2 pages
NetIQ PE Microsoft Windows XP 64 Bit
No ratings yet
NetIQ PE Microsoft Windows XP 64 Bit
44 pages
Netwrix Effective Permissions Reporting Tool Quick Start Guide
No ratings yet
Netwrix Effective Permissions Reporting Tool Quick Start Guide
20 pages
DX 1053 AdministratorGuide en
No ratings yet
DX 1053 AdministratorGuide en
135 pages
Change Auditor: Real-Time Change Auditing For Your Windows Environment
No ratings yet
Change Auditor: Real-Time Change Auditing For Your Windows Environment
2 pages
Netwrix Auditor v10.5 10-16-2022
No ratings yet
Netwrix Auditor v10.5 10-16-2022
5 pages
Minikube in Practice: Definitive Reference for Developers and Engineers
From Everand
Minikube in Practice: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Veritas Aptare It Analytics 10 6 Administration
No ratings yet
Veritas Aptare It Analytics 10 6 Administration
4 pages
Fraud Prevention and Detection in An Automated World
No ratings yet
Fraud Prevention and Detection in An Automated World
27 pages
Ultimate Guide To IT Monitoring Management and Modernization
100% (3)
Ultimate Guide To IT Monitoring Management and Modernization
26 pages
THE ROLE OF IT CONTROL AND SERVICE MANAGEMENT FRAMEWORKS
No ratings yet
THE ROLE OF IT CONTROL AND SERVICE MANAGEMENT FRAMEWORKS
38 pages
The Spring Cloud Handbook: Practical Solutions for Cloud-Native Architecture
From Everand
The Spring Cloud Handbook: Practical Solutions for Cloud-Native Architecture
Robert Johnson
No ratings yet
PowerCenter 9' Level 2 Developer Student Guide Lab
No ratings yet
PowerCenter 9' Level 2 Developer Student Guide Lab
84 pages
Advanced Audit Policy Configuration Complete Reference
No ratings yet
Advanced Audit Policy Configuration Complete Reference
61 pages
Windows Server Auditing Quick Reference Guide
No ratings yet
Windows Server Auditing Quick Reference Guide
1 page
PC 811 AdministratorGuide
No ratings yet
PC 811 AdministratorGuide
494 pages
NetBackup IT Analytics Administrator Guide v11.5
No ratings yet
NetBackup IT Analytics Administrator Guide v11.5
344 pages
ais
No ratings yet
ais
4 pages
It Audit Chapter 8
No ratings yet
It Audit Chapter 8
16 pages
The ArcSight Compliance Tool Kit
No ratings yet
The ArcSight Compliance Tool Kit
24 pages
Metasploit Framework a Beginner s Guide 1739208295
No ratings yet
Metasploit Framework a Beginner s Guide 1739208295
5 pages
Windows Audit Policy Best Practices
No ratings yet
Windows Audit Policy Best Practices
7 pages
NetWorker Configuration and Administration Reference: Definitive Reference for Developers and Engineers
From Everand
NetWorker Configuration and Administration Reference: Definitive Reference for Developers and Engineers
Richard Johnson
No ratings yet
Dra. Michel Fernanda Girón Luna Cirujano Dentista
No ratings yet
Dra. Michel Fernanda Girón Luna Cirujano Dentista
2 pages
Multiple Choice-WPS Office
No ratings yet
Multiple Choice-WPS Office
3 pages
3000 FFL Ops & IPL 11-06-08
No ratings yet
3000 FFL Ops & IPL 11-06-08
140 pages
Storage Spaces
No ratings yet
Storage Spaces
13 pages
Physics Chapter 1 Solutions
No ratings yet
Physics Chapter 1 Solutions
22 pages
Ecological Profiling, Contents and Template
100% (1)
Ecological Profiling, Contents and Template
65 pages
Lectors Leader Guide
100% (2)
Lectors Leader Guide
36 pages
BSSHGC PPT Proposal
No ratings yet
BSSHGC PPT Proposal
12 pages
Hyung Min LEE Resume
No ratings yet
Hyung Min LEE Resume
1 page
MECHANICAL WAVE-SHEET: 1 (Lecture - 1) : Level - I
No ratings yet
MECHANICAL WAVE-SHEET: 1 (Lecture - 1) : Level - I
6 pages
An Analysis of Sabda and Vak
No ratings yet
An Analysis of Sabda and Vak
56 pages
2-JAFMR-6-3-Kasi Njeudjang
No ratings yet
2-JAFMR-6-3-Kasi Njeudjang
13 pages
Case Study - PATAGONIA
No ratings yet
Case Study - PATAGONIA
3 pages
Tss Hospital
No ratings yet
Tss Hospital
12 pages
Laser Sintering of Ceramics Mechanical Seminar Topic
No ratings yet
Laser Sintering of Ceramics Mechanical Seminar Topic
7 pages
2005 Gracol Setup Guide 001a
100% (1)
2005 Gracol Setup Guide 001a
18 pages
RET Unit-1 Solar Thermal Systems
No ratings yet
RET Unit-1 Solar Thermal Systems
12 pages
Final Ge Nine Cell Matrix
100% (1)
Final Ge Nine Cell Matrix
18 pages
Packaging of Sugar Confectionery
100% (6)
Packaging of Sugar Confectionery
12 pages
Arecanut Cultivation (Betel Nut) Information - Agrifarming
No ratings yet
Arecanut Cultivation (Betel Nut) Information - Agrifarming
7 pages
Benign Paratesticlar Cyst - A Mysterical Finding
No ratings yet
Benign Paratesticlar Cyst - A Mysterical Finding
2 pages
06 Stating The Problem-Title
No ratings yet
06 Stating The Problem-Title
15 pages
v3n1 Supplying Resistance
No ratings yet
v3n1 Supplying Resistance
12 pages
Glimpses of India
90% (10)
Glimpses of India
12 pages
The Biography of Engr. Diosdado 'Dado' Banatao Jr.
100% (1)
The Biography of Engr. Diosdado 'Dado' Banatao Jr.
9 pages
Module 1
No ratings yet
Module 1
8 pages
Chapter 2
No ratings yet
Chapter 2
31 pages