Reference for Creating Activity Records
The table below describes Activity Record elements.
Netwrix recommends limiting the input Activity Records file to 50MB and maximum 1,000 Activity Records.
| Element | Mandatory | Datatype | Description | | ----------------------------------------------------- | --------- | ------------ | ---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | -------------- | -------- | --- | ---------- | ---------------------- | --- | -------- | -------------------------- | --- | ------------- | ----------------- | --- | --------------- | --------------------- | --- | ------------- | ------------------------- | --- | ---------- | -------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | | Activity Record main elements | | | | | RID | No | string | RID is a unique key of the Activity Record. The identifier is created automatically when you write an Activity Record to the Audit Database. RID is included in output Activity Records only. | | Who | Yes | nvarchar 255 | A specific user who made the change (e.g., Enterprise\ Administrator, Admin@enterprise.onmicrosoft.com). | | Action | Yes | — | Activity captured by Auditor (varies depending on the data source): | | What | Yes | nvarchar max | A specific object that was changed (e.g., NewPolicy). | | When | Yes | dateTime | The moment when the change occurred. When supports the following datetime formats: | | Where | Yes | nvarchar 255 | A resource where the change was made (e.g., Enterprise-SQL, FileStorage.enterprise.local). The resource name can be a FQDN or NETBIOS server name, Active Directory domain or container, SQL Server instance, SharePoint farm, VMware host, etc. | | ObjectType | Yes | nvarchar 255 | An type of affected object or its class (e.g., user, mailbox). | | Monitoring Plan | No | nvarchar 255 | The Auditor object that responsible for monitoring of a given data source and item. Sub-elements: Name and ID. If you provide a monitoring plan name for input Activity Records, make sure the plan is created in Auditor, the Netwrix API data source is added to the plan and enabled for monitoring. In this case, data will be written to the database associated with this plan. | | DataSource | No | nvarchar max | IT infrastructure monitored with Auditor (e.g., Active Directory). For input Activity Records, the data source is automatically set to Netwrix API. | | Item | No | nvarchar max | The exact object that is monitored (e.g., a domain name, SharePoint farm name) or integration name. Sub-element: Name. The item type is added inside the name value in brackets (e.g., enterprise.local (Domain)). For input Activity Records, the type is automatically set to Integration, you do not need to provide it. The output Activity Records may contain the following item types depending on the monitoring plan configuration: | | | | --- | --- | | - AD container | - NetApp | | - Computer | - Microsoft 365 tenant | | - Domain | - Oracle Database instance | | - Dell Isilon | - SharePoint farm | | - Dell VNX/VNXe | - SQL Server instance | | - Integration | - VMware ESX/ESXi/vCenter | | - IP range | - Windows file share | If you provide an item name for input Activity Records, make sure this item is included in the monitoring plan within the Netwrix API data source. If you specify an item that does not exist, data will be written to the plan's database anyway but will not be available for search using the Item filter. | | Workstation | No | nvarchar max | An originating workstation from which the change was made (e.g., WKSwin12.enterprise.local). | | IsArchiveOnly | No | — | IsArchiveOnly allows to save Activity Record to the Long-Term Archive only. In this case, these Activity Records will not be available for search in the Auditor client. | | DetailList | No | — | Information specific to the data source, e.g., assigned permissions, before and after values, start and end dates. References details. | | Detail sub-elements (provided that DetailList exists) | | | | | PropertyName | Yes | nvarchar 255 | The name of a modified property. | | Message | No | string | Object-specific details about the change. Message is included in output Activity Records only. | | Before | No | ntext | The previous value of the modified property. | | After | No | ntext | The new value of the modified property. |
Activity Records
In Netwrix terms, one operable chunk of information is called the Activity Record. Netwrix Auditor Integration API processes both XML and JSON Activity Records. The Activity Records have the format similar to the following—the exact schema depends on operation (input or output).
| Format | Example |
|---|---|
| XML | <?xml version="1.0" encoding="UTF-8" ?> <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> <ActivityRecord> <Who>Who</Who> <ObjectType>Object Type</ObjectType> <Action>Action</Action> <What>What</What> <When>When</When> <Where>Where</Where> <MonitoringPlan> <ID>Unique ID</ID> <Name>Name</Name> </MonitoringPlan> <DataSource>Data source</DataSource> <Item> <Name>Item name (Item type)</Name> </Item> <DetailList> <Detail> <Before>Before Value</Before> <After>After Value</After> <PropertyName>Property</PropertyName> <Message>Text</Message> </Detail> </DetailList> </ActivityRecord> <ActivityRecord>...</ActivityRecord> </ActivityRecordList> |
| JSON | [ { "Action": "Action", "MonitoringPlan": { "ID": "Unique ID", "Name": "Name" }, "DataSource": "Data source", "Item": {"Name": "Item name (Item type)"}, "DetailList": [ { "Before": "Before Value", "After": "After Value", "PropertyName": "Property", "Message": "Text" } ], "ObjectType": "Object Type", "What": "What", "When": "When", "Where": "Where", "Who": "Who" }, {...} ] |
To feed data from a custom audit source to Netwrix Auditor, send a POST request containing Activity Records. Write Activity Records
Schema
The Activity Records you want to feed to Netwrix Auditor must be compatible with input schema. The output schema resembles the input schema and can be used to validate Activity Records returned by Netwrix Auditor before further data parsing.
| Format | Schema description |
|---|---|
| XML | The file must be compatible with the XML schema. On the computer where Auditor Server resides, you can find XSD file under Netwrix_Auditor_installation_folder\Audit Core\API Schemas. The ActivityRecordList root element includes the ActivityRecord elements. Each ActivityRecord contains values in the Who, When, Where, etc. fields. The MonitoringPlan element contains sub-elements such as Name and ID, the Item element contains Name. Both MonitoringPlan and Item are optional for input Activity Records. The DetailList element is optional too, it may include one or more Detail entries. The Detail element may contain sub-elements with values (e.g., before and after values). For input Activity Records, the data source is automatically set to Netwrix API. minOccurs="0" indicates that element is optional and may be absent when writing data to the Audit Database. |
| JSON | Activity Records are sent as an array collected within square brackets [ ]. Each ActivityRecord object is collected in braces {} and contains values in the Who, When, Where, etc. fields. The DetailList field is not mandatory, it may include one or more detail. The Detail field may contain sub-fields with values (e.g., before and after values). For input Activity Records, the data source is automatically set to Netwrix API. |
Example
The examples below show an output Activity Record.
| XML |
<?xml version="1.0" encoding="UTF-8" ?> <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> <ActivityRecord> <Action>Modified</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> <Name>Compliance</Name> </MonitoringPlan> <DataSource>Exchange Online</DataSource> <Item> <Name>mail@enterprise.onmicrosoft.com (Microsoft 365 tenant)</Name> </Item> <ObjectType>Mailbox</ObjectType> <What>Shared Mailbox</What> <When>2017-03-17T09:37:11Z</When> <Where>BLUPR05MB1940</Where> <Who>admin@enterprise.onmicrosoft.com</Who> <DetailList> <Detail> <Before>1</Before> <After>2</After> <PropertyName>Custom_attribute</PropertyName> </Detail> </DetailList> </ActivityRecord> </ActivityRecordList> |
| JSON |
[ { "Action": "Modified", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Exchange Online", "Item": {"Name": "mail@enterprise.onmicrosoft.com (Microsoft 365 tenant)"}, "ObjectType": "Mailbox", "What": "Shared Mailbox", "When": "2017-03-17T09:37:11Z", "Where": "BLUPR05MB1940", "Who": "admin@enterprise.onmicrosoft.com", "DetailList": [ { "PropertyName": "Custom_Attribute", "Before": "1", "After": "2" } ] } ] |
Continuation Mark
When exporting data from the Audit Database, a successful response includes:
- For XML—A
<ContinuationMark>inside the<ActivityRecordsList>root element. - For JSON—An object with the "ContinuationMark" field.
Continuation mark is a checkpoint, use it to retrieve data starting with the next Activity Record.
Send a POST request containing Continuation mark to the following endpoints:
| Method | Endpoint | Description |
|---|---|---|
| POST | /netwrix/api/v1/activity_records/enum | Returns next Activity Records. |
| POST | /netwrix/api/v1/activity_records/search | Returns next Activity Records matching a filter criteria. |
Ensure to pass information about transferred data, including Content-Type:application/xml or
application/json and encoding. The syntax greatly depends on the tool you use.
You can send as many POST requests as you want. A new response returns next Activity Records and a
new Continuation mark. Once all the Activity Records are retrieved, you will receive a 200 OK
response with no Activity Records inside the ActivityRecordList root element (XML) or array
(JSON).
Schema
Copy the contents of ContinuationMark to a separate XML or JSON file (e.g., ContMark.xml).
| Format | Schema description |
|---|---|
| XML | The file must be compatible with the XML schema. On the computer where Auditor Server resides, you can find XSD file under Netwrix_Auditor_installation_folder\Audit Core\API Schemas. The ContinuationMark root element contains a value previously returned by Netwrix Auditor Integration API. |
| JSON | JSON-formatted Continuation mark includes the field value in quotes. |
If you want to retrieve next Activity Records for your search, include the Continuation mark to your Search parameters file. Search Parameters
Example
| XML |
| Retrieve Activity Records |
<?xml version="1.0" standalone="yes"?> `````` <ContinuationMark xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A `````` </ContinuationMark> |
| Search Activity Records |
<?xml version="1.0" standalone="yes"?> `````` <ActivityRecordSearch xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <ContinuationMark>PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A</ContinuationMark> `````` <FilterList> `````` <Who>Administrator</Who> `````` <DataSource>Active Directory</DataSource> `````` <Action>Added</Action> `````` <ObjectType Operator="DoesNotContain">Group</ObjectType> `````` <When> `````` <From>2016-09-16T16:30:00+11:00</From> `````` <To>2017-03-16T00:00:00Z</To> `````` </When> `````` </FilterList> `````` </ActivityRecordSearch> |
| JSON |
| Retrieve Activity Records |
"PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A" |
| Search Activity Records |
{ `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A", `````` "FilterList": { `````` "Who": "Administrator", `````` "DataSource": "Active Directory", `````` "Action": "Added", `````` "ObjectType": { "DoesNotContain": "Group"}, `````` "When": { `````` "From": "2016-09-16T16:30:00+11:00", `````` "To": "2017-03-16T00:00:00Z" `````` } `````` } `````` } |
Post Data
While running requests to Netwrix Auditor Integration API endpoints, you will need to post data, e.g., a Continuation mark in order to continue retrieving Activity Records, Search parameters to find Activity Records matching your search, or Activity Records you want to feed to the Audit Database. Data is sent in the request body and must be formatted according to XML convention and compatible with Netwrix-provided XSD schemas.
In Netwrix Auditor 9.0, Netwrix has updated API schemas. Make sure to check and update your custom scripts and add-ons. Compatibility Notice
The file must be formatted in accordance with XML standard. The following symbols must be replaced with corresponding XML entities: & (ampersand), " (double quotes), ' (single quotes), < (less than), and > (greater than) symbols.
| Symbol | XML entity |
|---|---|
| & e.g., Ally & Sons | & e.g., Ally & Sons |
| " e.g., Domain1\Users"Stars" | " e.g., Domain1\Users"Stars" |
| ' e.g., Domain1\Users\O'Hara | ' e.g., Domain1\Users\O'Hara |
< e.g., CompanyDC<100 | < e.g., CompanyDC<100 |
> e.g., ID>500 | > e.g., ID>500 |
Also, Netwrix allows transferring data in JSON format (organized as name and value pairs). JSON file must be formatted in accordance with JSON specification. Special characters in JSON strings must be preceded with the \ character: " (double quotes), / (slash), \ (backslash). E.g., "\local\enterprise\Users\Jason Smith". Trailing comma is not supported.
Review the following for additional information:
Search Parameters
Send the search parameters in the POST request body to narrow down the search results returned by the /netwrix/api/v1/activity_records/search endpoint. The Search parameters file includes one or more filters with operators and values (e.g., to find entries where data source is SharePoint); it may also contain a Continuation Mark. Generally, the Search parameters file looks similar to the following:
| XML |
<?xml version="1.0" encoding="utf-8"?> `````` <ActivityRecordSearch xmlns="http//schemas.netwrix.com/api/v1/activity_records/"> `````` <ContinuationMark>Continuation mark</ContinuationMark> `````` <FilterList> `````` <Filter1>Value</Filter1> `````` <Filter2>Value1</Filter2> `````` <Filter2>Value2</Filter2> `````` <Filter3 Operator="MatchType1">Value1</Filter3> `````` <Filter3 Operator="MatchType2">Value2</Filter3> `````` <Filter4>Value1</Filter4> `````` <Filter4 Operator="MacthType">Value2</Filter4> `````` </FilterList> `````` </ActivityRecordSearch> |
| JSON |
{ `````` "ContinuationMark": "Continuation Mark", `````` "FilterList": { `````` "Filter1": "Value", `````` "Filter2": [ "Value1", "Value2" ], `````` "Filter3": { `````` "MatchType1": "Value1", `````` "MatchType2": "Value2" `````` }, `````` "Filter4": [ "Value1", { "MatchType": "Value2" } ] `````` } `````` } |
Ensure to pass information about transferred data, including Content-Type:application/xml or
application/json and encoding. The syntax greatly depends on the tool you use.
Schema
| Format | Schema description |
|---|---|
| XML | The file must be compatible with the XML schema. On the computer where Auditor Server resides, you can find XSD file under Netwrix_Auditor_installation_folder\Audit Core\API Schemas. The ActivityRecordSearch root element includes the FilterList element with one or more Filter elements inside. The root element may contain a ContinuationMark element. Each Filter specified within the FilterList must have a value to search for. The element may also include a modifier—a match type operator. minOccurs="0" indicates that element is optional and may be absent in the Search parameters.  |
| JSON | The FilterList object includes with one or more Filter entries inside. JSON may contain a ContinuationMark object. Each Filter specified within the FilterList must have a value to search for. The entry may also include a modifier—a match type operator. |
Review the following for additional information:
Example
| XML |
<?xml version="1.0" encoding="utf-8"?> `````` <ActivityRecordSearch xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <FilterList> `````` <Who Operator="NotEqualTo">Administrator</Who> `````` <MonitoringPlan>My Hybrid Cloud enterprise</MonitoringPlan> `````` <DataSource>Active Directory</DataSource> `````` <DataSource Operator="StartsWith">Exchange</DataSource> `````` <Action>Removed</Action> `````` <Action>Added</Action> `````` <ObjectType Operator="DoesNotContain">Group</ObjectType> `````` <When> `````` <From>2016-01-16T16:30:00+11:00</From> `````` <To>2017-01-01T00:00:00Z</To> `````` </When> `````` </FilterList> `````` </ActivityRecordSearch> |
| JSON |
{ `````` "FilterList": { `````` "Who": { "NotEqualTo": "Administrator" }, `````` "MonitoringPlan": "My Hybrid Cloud enterprise", `````` "DataSource": [ "Active Directory", { "StartsWith": "Exchange" } ], `````` "Action": [ "Added", "Removed" ], `````` "ObjectType": { "DoesNotContain": "Group" }, `````` "When": { `````` "From": "2016-01-16T16:30:00+11:00", `````` "To": "2017-01-01T00:00:00Z" `````` } `````` } `````` } |
Retrieve Activity Records
Endpoint
Use to export data from the Audit Database. By default, first 1,000 Activity Records are returned. To get the next Activity Records, send a POST request to the same endpoint containing a Continuation mark.
| Method | Endpoint | POST Data |
|---|---|---|
| GET | https://{host:port}/netwrix/api/v1/activity_records/enum{?format=json}{&count=Number} | — |
| POST | https://{host:port}/netwrix/api/v1/activity_records/enum{?format=json}{&count=Number} | Continuation Mark |
Request Parameters
| Parameter | Mandatory | Description |
|---|---|---|
host:port | Yes | Replace with the IP address or a name of your Netwrix Auditor Server host and port (e.g., 172.28.6.15:9699, stationwin12:9699, WKSWin2012.enterprise.local:9699). With enabled HTTPS, provide the computer name as it appears in certificate properties. |
format=json | No | Add this parameter to retrieve data in JSON format. Otherwise, XML-formatted Activity Records will be returned. |
count=Number | No | Add this parameter to define the number of Activity Records to be exported. Replace Number with a number (e.g., &count=1500). |
Optional parameters (format and count) can be provided in any order. The first parameter must start
with ?, others are joined with &, no spaces required (e.g., ?format=json&count=1500).
Response
| Request Status | Response |
| -------------- | ------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | --- | --- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- |
| Success | The HTTP status code in the response header is 200 OK. The response body contains Activity Records and Continuation Mark. | | | | | --- | --- | --- | | HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 311896 `````` Content-Type: application/xml `````` Date: Fri, 08 Apr 2017 13:56:22 GMT | or | HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 311896 `````` Content-Type: application/json `````` Date: Fri, 08 Apr 2017 13:56:22 GMT | |
| Error | The header status code is an error code. Depending on the error code, the response body may contain an error object. |
Usage Example—Retrieve All Activity Records
This example describes how to retrieve all Activity Records from the Audit Database.
Step 1 – Send a GET request. For example:
| Format | Request |
|---|---|
| XML | curl https://WKSWin2012:9699/netwrix/api/v1/activity_records/enum -u Enterprise\NetwrixUser:NetwrixIsCool |
| JSON | curl https://WKSWin2012:9699/netwrix/api/v1/activity_records/enum?format=json -u Enterprise\NetwrixUser:NetwrixIsCool |
Step 2 – Receive the response. Activity Records are retrieved according to the account's
delegated scope. Below is an example of a successful GET request. The status is 200 OK. For XML, a
response body contains the ActivityRecordList root element with Activity Records and a
Continuation mark inside. For JSON, a response body contains the ActivityRecordList array with
Activity Records collected in braces and a Continuation mark.
| XML |
<?xml version="1.0" standalone="yes"?> `````` <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <ContinuationMark>PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A</ContinuationMark> `````` <ActivityRecord> `````` <MonitoringPlan> `````` `<Name>`AD Monitoring</Name> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` </MonitoringPlan> `````` <DataSource>Active Directory</DataSource> `````` <Item> `````` `<Name>`enterprise.local (Domain)</Name> `````` </Item> `````` <ObjectType>user</ObjectType> `````` <RID>20160215110503420B9451771F5964A9EAC0A5F35307EA155</RID> `````` <What>\local\enterprise\Users\Jason Smith</What> `````` <Action>Added</Action> `````` <When>2017-02-14T15:42:34Z</When> `````` <Where>EnterpriseDC1.enterprise.local</Where> `````` <Who>ENTERPRISE\Administrator</Who> `````` <Workstation>EnterpriseDC1.enterprise.local</Workstation> `````` </ActivityRecord> `````` <ActivityRecord>...</ActivityRecord> `````` <ActivityRecord>...</ActivityRecord> `````` </ActivityRecordList> |
| JSON |
{ `````` "ActivityRecordList": [ `````` { `````` "Action": "Added", `````` "MonitoringPlan" : { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "AD Monitoring" `````` }, `````` "DataSource": "Active Directory", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType": "user", `````` "RID": "20160215110503420B9451771F5964A9EAC0A5F35307EA155", `````` "What": "\\local\\enterprise\\Users\\Jason Smith", `````` "When": "2017-02-14T15:42:34Z", `````` "Where": "EnterpriseDC1.enterprise.local", `````` "Who": "ENTERPRISE\\Administrator", `````` "Workstation": "EnterpriseDC1.enterprise.local" `````` }, `````` {...}, `````` {...} `````` ], `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A" `````` } |
Step 3 – Continue retrieving Activity Records. Send a POST request containing this Continuation mark to the same endpoint. See the Continuation Mark topic for more information. For example:
| XML |
curl -H "Content-Type: application/xml; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/enum -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\ContMark.xml <?xml version="1.0" standalone="yes"?> `````` <ContinuationMark xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A `````` </ContinuationMark> |
| JSON |
curl -H "Content-Type: application/json; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/enum?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary ``````@C:\APIdocs\ContMark.json "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A" |
Ensure to pass information about transferred data, including Content-Type:application/xml or
application/json and encoding. The syntax greatly depends on the tool you use.
Step 4 – Receive the next response. On success, the status is 200 OK. For XML, a response body
contains the ActivityRecordList root element with next Activity Records and a new Continuation
mark inside. For JSON, a response body contains the ActivityRecordSearch array with next Activity
Records collected in braces and a new Continuation mark.
Step 5 – Continue retrieving Activity Records. Send POST requests containing new Continuation
marks until you receive a 200 OK response with no Activity Records inside the ActivityRecordList.
It means you reached the end of the Audit Database.
Search Activity Records
The search functionality in the Netwrix Auditor Integration API reproduces interactive search available in the Netwrix Auditor client. See the Netwrix Auditor Intelligence Guide and View and Search Collected Data topic for detailed instruction on how to search and filter audit data.
As the interactive search in the Netwrix Auditor client, this REST API endpoint allows you to retrieve Activity Records matching a certain criteria. You can create your own set of filters in the Search parameters file. See the Search Parameters topic for more information. Activity Records are retrieved according to the account's delegated scope.
Endpoint
To retrieve Activity Records matching a certain criteria, send a POST request containing search parameters (also may include a Continuation mark). See the Search Parameters topic for more information.
| Method | Endpoint | POST Data |
|---|---|---|
POST | https://{host:port}/netwrix/api/v1/activity_records/search{?format=json}{&count=Number} | Search Parameters |
Request Parameters
| Parameter | Mandatory | Description |
|---|---|---|
host:port | Yes | Replace with the IP address or a name of your Netwrix Auditor Server host and port (e.g., 172.28.6.15:9699, stationwin12:9699, WKSWin2012.enterprise.local:9699). With enabled HTTPS, provide the computer name as it appears in certificate properties. |
format=json | No | Add this parameter to retrieve data in JSON format. Otherwise, XML-formatted Activity Records will be returned. |
count=Number | No | Add this parameter to define the number of Activity Records to be exported. Replace Number with a number (e.g., ?count=1500). |
Optional parameters (format and count) can be provided in any order. The first parameter must start
with ?, others are joined with &, no spaces required (e.g., ?format=json&count=1500).
Response
| Request Status | Response |
| -------------- | ------------------------------------------------------------------------------------------------------------------------- | --- | --- | --- | --- | --- | --- | --- | --- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- | --------------------------------------------------------------------------------------------------------------------------------------------------------------------- | --- |
| Success | The HTTP status code in the response header is 200 OK. The response body contains Activity Records and Continuation Mark. | | | | | --- | --- | --- | | HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 311896 `````` Content-Type: application/xml `````` Date: Fri, 08 Apr 2017 13:56:22 GMT | or | HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 311896 `````` Content-Type: application/json `````` Date: Fri, 08 Apr 2017 13:56:22 GMT | |
| Error | The header status code is an error code. Depending on the error code, the response body may contain an error object. |
Usage Example—Retrieve All Activity Records Matching Search Criteria
Follow the steps- to retrieve all Activity Records matching search criteria.
Step 1 – Send a POST request containing search parameters. See the Search Parameters topic for more information.
As an example, this request retrieves Activity Records where administrator added new objects to the Active Directory domain. Groups and group policies are not taken into account. Changes could only occur between September 16, 2016 and March 16, 2017.
Ensure to pass information about transferred data, including Content-Type:application/xml or
application/json and encoding. The syntax greatly depends on the tool you use.
Step 2 – Receive the response. Activity Records are retrieved according to the account's
delegated scope. Below is an example of a successful search request. The status is 200 OK. For XML,
a response body contains the ActivityRecordList root element with Activity Records matching filter
criteria and a Continuation mark inside. For JSON, a response body contains the ActivityRecordList
array with Activity Records matching filter criteria and collected in braces , and a Continuation
mark.
| XML |
<?xml version="1.0" standalone="yes"?> `````` <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <ContinuationMark>PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A</ContinuationMark> `````` <ActivityRecord> `````` <MonitoringPlan> `````` `<Name>`AD Monitoring</Name> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` </MonitoringPlan> `````` <DataSource>Active Directory</DataSource> `````` <Item> `````` `<Name>`enterprise.local (Domain)</Name> `````` </Item> `````` <ObjectType>user</ObjectType> `````` <RID>20160215110503420B9451771F5964A9EAC0A5F35307EA155</RID> `````` <What>\local\enterprise\Users\Jason Smith</What> `````` <Action>Added</Action> `````` <When>2017-02-14T15:42:34Z</When> `````` <Where>EnterpriseDC1.enterprise.local</Where> `````` <Who>ENTERPRISE\Administrator</Who> `````` <Workstation>EnterpriseDC1.enterprise.local</Workstation> `````` </ActivityRecord> `````` <ActivityRecord>...</ActivityRecord> `````` <ActivityRecord>...</ActivityRecord> `````` </ActivityRecordList> |
| JSON |
{ `````` "ActivityRecordList": [ `````` { `````` "Action": "Added", `````` "MonitoringPlan" : { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "AD Monitoring" `````` }, `````` "DataSource": "Active Directory", `````` "Item": {"Name": "enterprise.local (Domain)"}, `````` "ObjectType": "user", `````` "RID": "20160215110503420B9451771F5964A9EAC0A5F35307EA155", `````` "What": "\\local\\enterprise\\Users\\Jason Smith", `````` "When": "2017-02-14T15:42:34Z", `````` "Where": "EnterpriseDC1.enterprise.local", `````` "Who": "ENTERPRISE\\Administrator", `````` "Workstation": "EnterpriseDC1.enterprise.local" `````` }, `````` {...}, `````` {...} `````` ], `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A" `````` } |
Step 3 – Continue retrieving Activity Records. Send a POST request containing your search parameters and this Continuation mark to the same endpoint. Continuation Mark
| XML |
curl -H "Content-Type:application/xml; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/search -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Search.xml <?xml version="1.0" standalone="yes"?> `````` <ActivityRecordSearch xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <ContinuationMark>PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A</ContinuationMark> `````` <FilterList> `````` <Who>Administrator</Who> `````` <DataSource>Active Directory</DataSource> `````` <Action>Added</Action> `````` <ObjectType Operator="DoesNotContain">Group</ObjectType> `````` <When> `````` <From>2016-09-16T16:30:00+11:00</From> `````` <To>2017-03-16T00:00:00Z</To> `````` </When> `````` </FilterList> `````` </ActivityRecordSearch> |
| JSON |
curl -H "Content-Type:application/json; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/search?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Search.json { `````` "ContinuationMark": "PG5yPjxuIG49IntFNzA...PjwvYT48L24+PC9ucj4A+PC9ucj4A", `````` "FilterList": { `````` "Who": "Administrator", `````` "DataSource": "Active Directory", `````` "Action": "Added", `````` "ObjectType": { "DoesNotContain": "Group"}, `````` "When": { `````` "From": "2016-09-16T16:30:00+11:00", `````` "To": "2017-03-16T00:00:00Z" `````` } `````` } `````` } |
Ensure to pass information about transferred data, including Content-Type:application/xml or
application/json and encoding. The syntax greatly depends on the tool you use.
Step 4 – Receive the next response. On success, the status is 200 OK. For XML, a response body
contains the ActivityRecordList root element with next Activity Records and a new Continuation
mark inside. For JSON, a response body contains the ActivityRecordSearch array with next Activity
Records collected in braces and a new Continuation mark.
Step 5 – Continue retrieving Activity Records. Send POST requests containing your search
parameters with new Continuation marks until you receive a 200 OK response with no Activity Records
inside the ActivityRecordList. It means you retrieved all Activity Records matching your search
criteria.
Write Activity Records
Endpoint
Write data to the Audit Database and to the Long-Term Archive. By default, all imported data is written to a special Netwrix_Auditor_API database and recognized as the Netwrix API data source. This data is not associated with any monitoring plan in the product. You can associate Activity Records with a plan, in this case data will be written to a database linked to this plan. Make sure the plan you specify is already created in Netwrix Auditor, the Netwrix API data source is added to the plan and enabled for monitoring.
To feed data, send a POST request containing Activity Records. The user sending a request must be assigned the Contributor role in Netwrix Auditor. After feeding data to the Audit Database it will become available for search in the Netwrix Auditor client and through /netwrix/api/v1/activity_records/search and /netwrix/api/v1/activity_records/enum endpoints.
| Method | Endpoint | POST Data |
|---|---|---|
POST | https://{host:port}/netwrix/api/v1/activity_records/{?format=json} | Activity Records |
Netwrix recommends limiting the input Activity Records file to 50MB and maximum 1,000 Activity Records.
Request Parameters
| Parameter | Mandatory | Description |
|---|---|---|
host:port | Yes | Replace with the IP address or a name of your Netwrix Auditor Server host and port (e.g., 172.28.6.15:9699, stationwin12:9699, WKSWin2012.enterprise.local:9699). With enabled HTTPS, provide the computer name as it appears in certificate properties. |
?format=json | No | Add this parameter to write data in JSON format. Otherwise, Netwrix Auditor Server will expect XML-formatted Activity Records and will consider JSON invalid. |
Response
| Request Status | Response |
|---|---|
| Success | The HTTP status code in the response header is 200 OK and the body is empty. HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 0 `````` Content-Type: text/plain `````` Date: Fri, 08 Apr 2017 13:56:22 GMT |
| Error | The header status code is an error code. Depending on the error code, the response body may contain an error object. See Response Status Codes for more information. |
Usage Example—Write Data
This example describes how to feed Activity Records to the Audit Database.
Step 1 – Send a POST request containing Activity Records. Activity Records For example:
| XML |
curl -H "Content-Type:application/xml; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/ -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Input.xml`````` <?xml version="1.0" encoding="utf-8"?> `````` <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <ActivityRecord> `````` <Who>Admin</Who> `````` <ObjectType>Stored Procedure</ObjectType> `````` <Action>Added</Action> `````` <What>Databases\ReportServer\Stored Procedures\dbo.sp_New</What> `````` <MonitoringPlan> `````` `<Name>`Integrations and custom sources</Name> `````` </MonitoringPlan> `````` <Where>WKSWin12SQL</Where> `````` <When>2017-02-19T03:43:49-11:00</When> `````` </ActivityRecord> `````` <ActivityRecord> `````` <Action>Modified</Action> `````` <ObjectType>Mailbox</ObjectType> `````` <What>Shared Mailbox</What> `````` <When>2017-02-10T14:46:00Z</When> `````` <Where>BLUPR05MB1940</Where> `````` <Who>admin@enterprise.onmicrosoft.com</Who> `````` <DetailList> `````` <Detail> `````` <PropertyName>Custom_Attribute</PropertyName> `````` <Before>1</Before> `````` <After>2</After> `````` </Detail> `````` </DetailList> `````` </ActivityRecord> `````` </ActivityRecordList> |
| JSON |
curl -H "Content-Type:application/json; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Input.json [ `````` { `````` "Who": "Admin", `````` "ObjectType": "Stored Procedure", `````` "Action": "Added", `````` "MonitoringPlan": {"Name": "Integrations and custom sources"}, `````` "What": "Databases\\ReportServer\\Stored Procedures\\dbo.sp_New", `````` "Where": "WKSWin12SQL", `````` "When": "2017-02-19T03:43:49-11:00" `````` }, `````` { `````` "Action": "Modified", `````` "ObjectType": "Mailbox", `````` "What": "Shared Mailbox", `````` "When": "2017-02-10T14:46:00Z", `````` "Where": "BLUPR05MB1940", `````` "Who": "admin@enterprise.onmicrosoft.com", `````` "DetailList": [ `````` { `````` "PropertyName": "Custom_Attribute", `````` "Before": "1", `````` "After": "2" `````` } `````` ] `````` } `````` ] |
Ensure to pass information about transferred data, including Content-Type:application/xml or
application/json and encoding. The syntax greatly depends on the tool you use.
Step 2 – Receive the response. Below is an example of a successful write request. The status is 200 OK and the body is empty.
HTTP/1.1 200 OK
Server: Microsoft-HTTPAPI/2.0
Content-Length: 0
Content-Type: text/plain
Date: Fri, 08 Apr 2017 13:56:22 GMT
```
__Step 3 –__ Send more POST requests containing Activity Records if necessary.
__Step 4 –__ Check that posted data is now available in the Audit Database. Run a search request to [/netwrix/api/v1/activity_records/search](/docs/auditor/10.6/api/activity-records.md) endpoint or use interactive search in the Netwrix Auditor client. For example:
__Step 5 –__ For input Activity Records, the data source is set to Netwrix API.
