Operators

Review the table below to learn more about operators.

Operator	Description	Example
Contains	This operator shows all entries that contain a value specified in the filter.	If you set the Who filter to contains John, you will get the following results: Domain1\John, Domain1\Johnson, Domain2\Johnny, John@domain.com.
Equals	This operator shows all entries with the exact value specified. Make sure to provide a full object name or path. To apply this operator when adding filters in the Simple mode, provide a value in quotation marks (e.g., "Domain1\John").	Use this operator if you want to get precise results, e.g., \FS\Share\NewPolicy.docx.
Not equal to	This operator shows all entries except those with the exact value specified. In the Search field in the Simple mode, this operator appears as not, e.g., Who not for the Who filter.	If you set the Who filter to not equal to Domain1\John, you will exclude the exact user specified and find all changes performed by other users, e.g., Domain1\Johnson, Domain2\John.
Starts with	This operator shows all entries that start with the specified value.	If you set the Who filter to starts with Domain1\John, you will find all changes performed by Domain1\John, Domain1\Johnson, and Domain1\Johnny.
Ends with	This operator shows all entries that end with the exact specified value.	If you set the Who filter to ends with John, you will find all changes performed by Domain1\John, Domain2\Dr.John, Domain3\John.
Does not contain	This operator shows all entries except those that contain the specified value. In the Search field in the Simple mode, this operator appears as not, e.g., Who not for the Who filter.	If you set the Who filter to does not contain John, you will exclude the following users: Domain1\John, Domain2\Johnson, and Johnny@domain.com.
In group	This operator relates to the Who filter. It instructs Netwrix Auditor to show only data for the accounts included in the specified group.	If you set the In group condition for Who filter to Domain\Administrators, only the data for the accounts included in that group will be displayed.
Not in group	This operator relates to the Who filter. It instructs Netwrix Auditor to show only data for the accounts not included in the specified group.	If you set the Not in group condition for Who filter to Domain\Administrators, only the data for the accounts not included in that group will be displayed.

Reference for Creating Search Parameters File

Review this section to learn more about operators and how to apply them to Activity Record filters to create a unique search. You can:

Add different filters to your search. Search results will be sorted by all selected filters since they work as a logical AND.

Format	Example
XML	`<Who Operator="Equals">Admin</Who> <DataSource Operator="NotEqualTo">Active Directory</DataSource> <What>User</What>`
JSON	`"Who" : { "Equals" : "Admin" }, "DataSource" : { "NotEqualTo" : "Active Directory" }, "What" : "User"`

Specify several values for the same filter. To do this, add two entries one after another.

Entries with Equals, Contains, StartsWith, EndsWith, and InGroup operators work as a logical OR (Activity Records with either of following values will be returned). Entries with DoesNotContain and NotEqualTo operators work as a logical AND (Activity Records with neither of the following values will be returned).

Format Example
XML <Who>Admin</Who> <Who>Analyst</Who>
JSON "Who" : [ "Admin" , "Analyst" ] Use square brackets to add several values for the entry.

Format	Example
XML	`<Who>Admin</Who> <Who>Analyst</Who>`
JSON	`"Who" : [ "Admin" , "Analyst" ]` Use square brackets to add several values for the entry.

Review the following for additional information:

The table below shows filters and Activity Records matching them.

Filters	Matching Activity Records
- XML: `<Who>Administrator</Who> <DataSource> SharePoint </DataSource> <Action Operator="NotEqualTo"> Read </Action> JSON: "Who" : "Admin", "DataSource" : "SharePoint", "Action" : { "NotEqualTo" : "Read" }`	Retrieves all activity records where administrator made any actions on SharePoint, except Read. - XML: <ActivityRecord> <Action>Added</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>SharePoint</DataSource> <Item> `<Name>`http://demolabsp:8080 (SharePoint farm)</Name> </Item> <ObjectType>List</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>http://demolabsp/lists/Taskslist</What> <When>2017-02-17T09:28:35Z</When> <Where>http://demolabsp</Where> <Who>Enterprise\Administrator</Who> <Workstation>172.28.15.126</Workstation> </ActivityRecord> <ActivityRecord> <Action>Removed</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>SharePoint</DataSource> <Item> `<Name>`http://demolabsp:8080 (SharePoint farm)</Name> </Item> <ObjectType>List</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D15857</RID> <What>http://demolabsp/lists/Old/Taskslist</What> <When>2017-02-17T09:28:35Z</When> <Where>http://demolabsp</Where> <Who>Enterprise\Administrator</Who> <Workstation>172.28.15.126</Workstation> </ActivityRecord> - JSON: { "Action": "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "SharePoint", "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, "ObjectType" : "List", "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What" : "http://demolabsp/lists/Taskslist", "When" : "2017-02-17T09:28:35Z", "Where" : "http://demolabsp", "Who" : "Enterprise\\Administrator", "Workstation" : "172.28.15.126" }, { "Action" : "Removed", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "SharePoint", "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, "ObjectType" : "List", "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D15857", "What" : "http://demolabsp/lists/Old/Taskslist", "When" : "2017-02-17T09:28:35Z", "Where" : "http://demolabsp", "Who" : "Enterprise\\Administrator", "Workstation" : "172.28.15.126" }
- XML: `<Who>Administrator</Who> <Action>Added</Action>` - JSON: `"Who" : "Administrator", "Action" : "Added"`	Retrieves all activity records where administrator added an object within any data source. - XML: <ActivityRecord> <Action>Added</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>SharePoint</DataSource> <Item> `<Name>`http://demolabsp:8080 (SharePoint farm)</Name> </Item> <ObjectType>List</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>http://demolabsp/lists/Taskslist</What> <When>2017-02-17T09:28:35Z</When> <Where>http://demolabsp</Where> <Who>Enterprise\Administrator</Who> <Workstation>172.28.15.126</Workstation> </ActivityRecord> <ActivityRecord> <Action>Added</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>Exchange</DataSource> <Item> `<Name>`enterprise.local (Domain)</Name> </Item> <ObjectType>Mailbox</ObjectType> <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3</RID> <What>Shared Mailbox</What> <When>2017-02-10T14:46:00Z</When> <Where>eswks.enterprise.local</Where> <Who>Enterprise\Administrator</Who> </ActivityRecord> - JSON: { "Action" : "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "SharePoint", "Item": {"Name": "http://demolabsp:8080 (SharePoint farm)"}, "ObjectType": "List", "RID": "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What": "http://demolabsp/lists/Taskslist", "When": "2017-02-17T09:28:35Z", "Where": "http://demolabsp", "Who": "Enterprise\\Administrator", "Workstation": "172.28.15.126" }, { "Action" : "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource" : "Exchange", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType" : "Mailbox", "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DEA3", "What": "Shared Mailbox", "When": "2017-02-10T14:46:00Z", "Where": "eswks.enterprise.local", "Who": "Enterprise\\Administrator" }
- XML: `<Who>Admin</Who> <Who>Analyst</Who>` - JSON: `"Who" : [ "Admin" , "Analyst" ]`	Retrieves all activity records where admin or analyst made any changes within any data source. - XML: <ActivityRecord> <Action>Added</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>File Servers</DataSource> <Item> `<Name>`wks.enterprise.local (Computer)</Name> </Item> <ObjectType>Folder</ObjectType> <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3</RID> <What>Annual_Reports</What> <When>2017-02-10T14:46:00Z</When> <Where>wks.enterprise.local</Where> <Who>Enterprise\Admin</Who> </ActivityRecord> <ActivityRecord> <Action>Removed</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>Active Directory</DataSource> <Item> `<Name>`enterprise.local (Domain)</Name> </Item> <ObjectType>User</ObjectType> <RID>2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3</RID> <What>Anna.Smith</What> <When>2017-02-10T10:46:00Z</When> <Where>dc1.enterprise.local</Where> <Who>Enterprise\Analyst</Who> <Workstation>172.28.6.15</Workstation> </ActivityRecord> - JSON: { "Action": "Added", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource" : "File Servers", "Item": {"Name": "wks.enterprise.local (Computer)"}, "ObjectType": "Folder", "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DDA3", "What": "Annual_Reports", "When": "2017-02-10T14:46:00Z", "Where": "wks.enterprise.local", "Who": "Enterprise\\Admin" }, { "Action": "Removed", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Active Directory", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType": "User", "RID": "2016021116354759207E9DDCEEB674986AD30CD3D13F5DAA3", "What": "Anna.Smith", "When": "2017-02-10T10:46:00Z", "Where": "dc1.enterprise.local", "Who": "Enterprise\\Analyst", "Workstation": "172.28.6.15" }
- XML: `<When> <LastSevenDays/> </When> <When> <From> 2017-01-16T16:30:00Z </From> <To> 2017-02-01T00:00:00Z </To> </When>` - JSON: `"When" : [ {"LastSevenDays" : ""}, { "From" : "2017-01-16T16:30:00Z", "To" : "2017-02-01T00:00:00Z" } ]`	Retrieves all activity records for all data sources and users within a specified data range: - January 16, 2017 — February 1, 2017 - March 11, 2017 — March 17, 2017 (assume, today is March, 17). - XML: <ActivityRecord> <Action>Modified</Action> <MonitoringPlna>My Cloud</MonitoringPlan> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23701}</ID> `<Name>`My Cloud</Name> </MonitoringPlan> <DataSource>Exchange Online</DataSource> <Item> `<Name>`mail@corp.onmicrosoft.com (Microsoft 365 tenant)</Name> </Item> <ObjectType>Mailbox</ObjectType> <RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID> <What>Shared Mailbox</What> <When>2017-03-17T09:37:11Z</When> <Where>BLUPR05MB1940</Where> <Who>admin@corp.onmicrosoft.com</Who> </ActivityRecord> <ActivityRecord> <Action>Successful Logon</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>Logon Activity</DataSource> <Item> `<Name>`enterprise.local (Domain)</Name> </Item> <ObjectType>Logon</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>stationexchange.enterprise.local</What> <When>2017-02-17T09:28:35Z</When> <Where>enterprisedc1.enterprise.local</Where> <Who>ENTERPRISE\Administrator</Who> <Workstation>stwin12R2.enterprise.local</Workstation> </ActivityRecord> - JSON: { "Action" : "Modified", "MonitoringPlan" : "My Cloud", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23701}", "Name": "My Cloud" }, "DataSource": "Exchange Online", "Item": { "Name": "mail@corp.onmicrosoft.com (Microsoft 365 tenant)" }, "ObjectType" : "Mailbox", "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", "What" : "Shared Mailbox", "When" : "2017-03-17T09:37:11Z", "Where" : "BLUPR05MB1940", "Who" : "admin@corp.onmicrosoft.com" }, { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType": "Logon", "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What" : "stationexchange.enterprise.local", "When" : "2017-02-17T09:28:35Z", "Where" : "enterprisedc1.enterprise.local", "Who" : "ENTERPRISE\\Administrator", "Workstation" : "stwin12R2.enterprise.local" }
- XML: `<DataSource> Logon Activity </DataSource>` - JSON: `"DataSource" : "Logon Activity"`	Retrieves all activity records for Logon Activity data source irrespective of who made logon attempt and when it was made. - XML: <ActivityRecord> <Action>Successful Logon</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>Logon Activity</DataSource> <Item> `<Name>`enterprise.local (Domain)</Name> </Item> <ObjectType>Logon</ObjectType> <RID>20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7</RID> <What>stationexchange.enterprise.local</What> <When>2017-02-17T09:28:35Z</When> <Where>enterprisedc1.enterprise.local</Where> <Who>ENTERPRISE\Administrator</Who> <Workstation>stwin12R2.enterprise.local</Workstation> </ActivityRecord> <ActivityRecord> <Action>Successful Logon</Action> <MonitoringPlan> <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `<Name>`Compliance</Name> </MonitoringPlan> <DataSource>Logon Activity</DataSource> <Item> `<Name>`enterprise.local (Domain)</Name> </Item> <ObjectType>Logon</ObjectType> <RID>201602170939597970997D56DDA034420B9044249CC15EC5A</RID> <What>stationwin12r2.enterprise.local</What> <When>2017-02-17T09:37:11Z</When> <Where>enterprisedc2.enterprise.local</Where> <Who>ENTERPRISE\Analyst</Who> <Workstation>stwin12R2.enterprise.local</Workstation> </ActivityRecord> - JSON: { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType" : "Logon", "RID" : "20160217093959797091D091D2EAF4A89BF7A1CCC27D158A7", "What" : "stationexchange.enterprise.local", "When" : "2017-02-17T09:28:35Z", "Where" : "enterprisedc1.enterprise.local", "Who" : "ENTERPRISE\\Administrator", "Workstation" : "stwin12R2.enterprise.local" }, { "Action" : "Successful Logon", "MonitoringPlan": { "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", "Name": "Compliance" }, "DataSource": "Logon Activity", "Item": {"Name": "enterprise.local (Domain)"}, "ObjectType" : "Logon", "RID" : "201602170939597970997D56DDA034420B9044249CC15EC5A", "What" : "stationwin12r2.enterprise.local", "When" : "2017-02-17T09:37:11Z", "Where" : "enterprisedc2.enterprise.local", "Who" : "ENTERPRISE\\Analyst", "Workstation" : "stwin12R2.enterprise.local" }

Filters

Review the table below to learn more about filters. The filters correspond to Activity Record fields.

| Filter | Description | Supported Operators | | --------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ------------------------------------------------------ | --- | --- | --- | --- | --------------------- | -------------- | ---------------------- | --- | --------------- | ------------------------- | ---------------- | ---------- | -------------------------- | --- | ------------- | ----------------------- | --------- | ------------------- | ----------------------- | --- | ------------- | ------------------------- | --- | ------------ | -------------------- | ----------------------- | ------------------- | ------------------ | --- | -------------- | -------- | -------------------- | -------- | ---------------- | --- | --------------- | ------------- | ------------ | ----------- | ------------ | --- | ---------- | --- | --- | --- | --- | ------------------ | --- | ------------ | --- | | RID | Activity Record ID. Limits your search to a unique key of the Activity Record. Max length: 49. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | Who | Limits your search to a specific user who made the change (e.g., Enterprise\ Administrator, administrator@enterprise.onmicrosoft.com). Max length: 255. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | - InGroup | | - NotInGroup | | | Where | Limits your search to a resource where the change was made (e.g., Enterprise-SQL, FileStorage.enterprise.local). The resource name can be a FQDN or NETBIOS server name, Active Directory domain or container, SQL Server instance, SharePoint farm, VMware host, etc. Max length: 255. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | ObjectType | Limits your search to objects of a specific type only (e.g., user). Max length: 255. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | What | Limits your search to a specific object that was changed (e.g., NewPolicy) . Max length: 1073741822. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | DataSource | Limits your search to the selected data source only (e.g., Active Directory). Max length: 1073741822. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | Monitoring Plan | Limits your search to a specific monitoring plan —Netwrix Auditor object that governs data collection. Max length: 255. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | Item | Limits your search to a specific item—object of monitoring—and its type provided in brackets. The following item types are available: | | | | --- | --- | | - AD container | - NetApp | | - Computer | - Microsoft 365 tenant | | - Domain | - Oracle Database instance | | - Dell Isilon | - SharePoint farm | | - Dell Data Storage | - SQL Server instance | | - Integration | - VMware ESX/ESXi/vCenter | | - IP range | - Windows file share | Max length: 1073741822. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | Workstation | Limits your search to an originating workstation from which the change was made (e.g., WKSwin12.enterprise.local). Max length: 1073741822. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | Detail | Limits your search results to entries that contain the specified information in Detail. Normally contains information specific to your data source, e.g., assigned permissions, before and after values, start and end dates. This filter can be helpful when you are looking for a unique entry. Max length: 1073741822. | | | | --- | | - Contains (default) | | | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | Before | Limits your search results to entries that contain the specified before value in Detail. Max length: 536870911. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | After | Limits your search results to entries that contain the specified after value in the Detail. Max length: 536870911. | | | | --- | | - Contains (default) | | - DoesNotContain | | - Equals | | - NotEqualTo | | - StartsWith | | - EndsWith | | | Action | Limits your search results to certain actions: | | | | --- | --- | | - Added | - Add (Failed Attempt) | | - Removed | - Remove (Failed Attempt) | | - Modified | - Modify (Failed Attempt) | | - Read | - Read (Failed Attempt) | | - Moved | - Move (Failed Attempt) | | - Renamed | - Rename (Failed Attempt) | | - Checked in | - Checked out | | - Discard check out | - Successful Logon | | - Failed Logon | - Logoff | | - Copied | - Sent | | - Session start | - Session end | | - Activated | | | | | | --- | | - Equals (default) | | - NotEqualTo | | | When | Limits your search to a specified time range. Netwrix Auditor supports the following for the When filter: - Use Equals (default operator) or NotEqualTo operator - To specify time interval, use Within timeframe with one of the enumerated values (Today, Yesterday, etc.), and/or values in the To and From. To and From support the following date time formats: - YYYY-mm-ddTHH:MM:SSZ—Indicates UTC time (zero offset) - YYYY-mm-ddTHH:MM:SS+HH:MM—Indicates time zones ahead of UTC (positive offset) - YYYY-mm-ddTHH:MM:SS-HH:MM—Indicates time zones behind UTC (negative offset) | 1. Equals (default) 2. NotEqualTo 3. Within timeframe: | | | --- | | - Today | | - Yesterday | | - LastSevenDays | | - LastThirtyDays | | - Equals (default) | | - NotEqualTo | 2. From..To interval | | WorkingHours | Limits your search to the specified working hours. You can track activity outside the business hours applying the NotEqualTo operator. To and From support the following date time formats: - HH:MM:SSZ—Indicates UTC time (zero offset) - HH:MM:SS+HH:MM—Indicates time zones ahead of UTC (positive offset) - HH:MM:SS-HH:MM—Indicates time zones behind UTC (negative offset) | | | | --- | | - "From..To" interval | | - Equals (default) | | - NotEqualTo | |