Activity Records

In Netwrix terms, one operable chunk of information is called the Activity Record. Netwrix Auditor Integration API processes both XML and JSON Activity Records. The Activity Records have the format similar to the following—the exact schema depends on operation (input or output).

Format Example

XML <?xml version="1.0" encoding="UTF-8" ?> `````` <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <ActivityRecord> `````` <Who>Who</Who> `````` <ObjectType>Object Type</ObjectType> `````` <Action>Action</Action> `````` <What>What</What> `````` <When>When</When> `````` <Where>Where</Where> `````` <MonitoringPlan> `````` <ID>Unique ID</ID> `````` <Name>Name</Name> `````` </MonitoringPlan> `````` <DataSource>Data source</DataSource> `````` <Item> `````` <Name>Item name (Item type)</Name> `````` </Item> `````` <DetailList> `````` <Detail> `````` <Before>Before Value</Before> `````` <After>After Value</After> `````` <PropertyName>Property</PropertyName> `````` <Message>Text</Message> `````` </Detail> `````` </DetailList> `````` </ActivityRecord> `````` <ActivityRecord>...</ActivityRecord> `````` </ActivityRecordList>

JSON [ `````` { `````` "Action": "Action", `````` "MonitoringPlan": { `````` "ID": "Unique ID", `````` "Name": "Name" `````` }, `````` "DataSource": "Data source", `````` "Item": {"Name": "Item name (Item type)"}, `````` "DetailList": [ `````` { `````` "Before": "Before Value", `````` "After": "After Value", `````` "PropertyName": "Property", `````` "Message": "Text" `````` } `````` ], `````` "ObjectType": "Object Type", `````` "What": "What", `````` "When": "When", `````` "Where": "Where", `````` "Who": "Who" `````` }, `````` {...} `````` ]

Format	Example
XML	<?xml version="1.0" encoding="UTF-8" ?> `````` <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <ActivityRecord> `````` <Who>Who</Who> `````` <ObjectType>Object Type</ObjectType> `````` <Action>Action</Action> `````` <What>What</What> `````` <When>When</When> `````` <Where>Where</Where> `````` <MonitoringPlan> `````` <ID>Unique ID</ID> `````` <Name>Name</Name> `````` </MonitoringPlan> `````` <DataSource>Data source</DataSource> `````` <Item> `````` <Name>Item name (Item type)</Name> `````` </Item> `````` <DetailList> `````` <Detail> `````` <Before>Before Value</Before> `````` <After>After Value</After> `````` <PropertyName>Property</PropertyName> `````` <Message>Text</Message> `````` </Detail> `````` </DetailList> `````` </ActivityRecord> `````` <ActivityRecord>...</ActivityRecord> `````` </ActivityRecordList>
JSON	[ `````` { `````` "Action": "Action", `````` "MonitoringPlan": { `````` "ID": "Unique ID", `````` "Name": "Name" `````` }, `````` "DataSource": "Data source", `````` "Item": {"Name": "Item name (Item type)"}, `````` "DetailList": [ `````` { `````` "Before": "Before Value", `````` "After": "After Value", `````` "PropertyName": "Property", `````` "Message": "Text" `````` } `````` ], `````` "ObjectType": "Object Type", `````` "What": "What", `````` "When": "When", `````` "Where": "Where", `````` "Who": "Who" `````` }, `````` {...} `````` ]

To feed data from a custom audit source to Netwrix Auditor, send a POST request containing Activity Records. Write Activity Records

Schema

The Activity Records you want to feed to Netwrix Auditor must be compatible with input schema. The output schema resembles the input schema and can be used to validate Activity Records returned by Netwrix Auditor before further data parsing.

Format Schema description

XML The file must be compatible with the XML schema. On the computer where Auditor Server resides, you can find XSD file under Netwrix_Auditor_installation_folder\Audit Core\API Schemas. The ActivityRecordList root element includes the ActivityRecord elements. Each ActivityRecord contains values in the Who, When, Where, etc. fields. The MonitoringPlan element contains sub-elements such as Name and ID, the Item element contains Name. Both MonitoringPlan and Item are optional for input Activity Records. The DetailList element is optional too, it may include one or more Detail entries. The Detail element may contain sub-elements with values (e.g., before and after values). For input Activity Records, the data source is automatically set to Netwrix API. minOccurs="0" indicates that element is optional and may be absent when writing data to the Audit Database.

JSON Activity Records are sent as an array collected within square brackets [ ]. Each ActivityRecord object is collected in braces and contains values in the Who, When, Where, etc. fields. The DetailList field is not mandatory, it may include one or more detail. The Detail field may contain sub-fields with values (e.g., before and after values). For input Activity Records, the data source is automatically set to Netwrix API.

Format	Schema description
XML	The file must be compatible with the XML schema. On the computer where Auditor Server resides, you can find XSD file under Netwrix_Auditor_installation_folder\Audit Core\API Schemas. The `ActivityRecordList` root element includes the `ActivityRecord` elements. Each `ActivityRecord` contains values in the `Who`, `When`, `Where`, etc. fields. The `MonitoringPlan` element contains sub-elements such as `Name` and `ID`, the `Item` element contains `Name`. Both `MonitoringPlan` and `Item` are optional for input Activity Records. The `DetailList` element is optional too, it may include one or more `Detail` entries. The `Detail` element may contain sub-elements with values (e.g., before and after values). For input Activity Records, the data source is automatically set to Netwrix API. minOccurs="0" indicates that element is optional and may be absent when writing data to the Audit Database.
JSON	Activity Records are sent as an array collected within square brackets [ ]. Each `ActivityRecord` object is collected in braces and contains values in the `Who`, `When`, `Where`, etc. fields. The `DetailList` field is not mandatory, it may include one or more detail. The `Detail` field may contain sub-fields with values (e.g., before and after values). For input Activity Records, the data source is automatically set to Netwrix API.

Example

The examples below show an output Activity Record.


XML
<?xml version="1.0" encoding="UTF-8" ?> `````` <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <ActivityRecord> `````` <Action>Modified</Action> `````` <MonitoringPlan> `````` <ID>{42F64379-163E-4A43-A9C5-4514C5A23798}</ID> `````` <Name>Compliance</Name> `````` </MonitoringPlan> `````` <DataSource>Exchange Online</DataSource> `````` <Item> `````` <Name>mail@enterprise.onmicrosoft.com (Office 365 tenant)</Name> `````` </Item> `````` <ObjectType>Mailbox</ObjectType> `````` <What>Shared Mailbox</What> `````` <When>2017-03-17T09:37:11Z</When> `````` <Where>BLUPR05MB1940</Where> `````` <Who>admin@enterprise.onmicrosoft.com</Who> `````` <DetailList> `````` <Detail> `````` <Before>1</Before> `````` <After>2</After> `````` <PropertyName>Custom_attribute</PropertyName> `````` </Detail> `````` </DetailList> `````` </ActivityRecord> `````` </ActivityRecordList>
JSON
[ `````` { `````` "Action": "Modified", `````` "MonitoringPlan": { `````` "ID": "{42F64379-163E-4A43-A9C5-4514C5A23798}", `````` "Name": "Compliance" `````` }, `````` "DataSource": "Exchange Online", `````` "Item": {"Name": "mail@enterprise.onmicrosoft.com (Office 365 tenant)"}, `````` "ObjectType": "Mailbox", `````` "What": "Shared Mailbox", `````` "When": "2017-03-17T09:37:11Z", `````` "Where": "BLUPR05MB1940", `````` "Who": "admin@enterprise.onmicrosoft.com", `````` "DetailList": [ `````` { `````` "PropertyName": "Custom_Attribute", `````` "Before": "1", `````` "After": "2" `````` } `````` ] `````` } `````` ]

Write Activity Records

Endpoint

Write data to the Audit Database and to the Long-Term Archive. By default, all imported data is written to a special Netwrix_Auditor_API database and recognized as the Netwrix API data source. This data is not associated with any monitoring plan in the product. You can associate Activity Records with a plan, in this case data will be written to a database linked to this plan. Make sure the plan you specify is already created in Netwrix Auditor, the Netwrix API data source is added to the plan and enabled for monitoring.

To feed data, send a POST request containing Activity Records. The user sending a request must be assigned the Contributor role in Netwrix Auditor. After feeding data to the Audit Database it will become available for search in the Netwrix Auditor client and through /netwrix/api/v1/activity_records/search and /netwrix/api/v1/activity_records/enum endpoints.

Method	Endpoint	POST Data
`POST`	`https://{host:port}/netwrix/api/v1/activity_records/{?format=json}`	Activity Records

Netwrix recommends limiting the input Activity Records file to 50MB and maximum 1,000 Activity Records.

Request Parameters

Parameter	Mandatory	Description
`host:port`	Yes	Replace with the IP address or a name of your Netwrix Auditor Server host and port (e.g., 172.28.6.15:9699, stationwin12:9699, WKSWin2012.enterprise.local:9699). With enabled HTTPS, provide the computer name as it appears in certificate properties.
`?format=json`	No	Add this parameter to write data in JSON format. Otherwise, Netwrix Auditor Server will expect XML-formatted Activity Records and will consider JSON invalid.

Response

Request Status	Response
Success	The HTTP status code in the response header is 200 OK and the body is empty. HTTP/1.1 200 OK `````` Server: Microsoft-HTTPAPI/2.0 `````` Content-Length: 0 `````` Content-Type: text/plain `````` Date: Fri, 08 Apr 2017 13:56:22 GMT
Error	The header status code is an error code. Depending on the error code, the response body may contain an error object. See Response Status Codes for more information.

Usage Example—Write Data

This example describes how to feed Activity Records to the Audit Database.

Step 1 – Send a POST request containing Activity Records. Activity Records For example:


XML
curl -H "Content-Type:application/xml; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/ -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Input.xml`````` <?xml version="1.0" encoding="utf-8"?> `````` <ActivityRecordList xmlns="http://schemas.netwrix.com/api/v1/activity_records/"> `````` <ActivityRecord> `````` <Who>Admin</Who> `````` <ObjectType>Stored Procedure</ObjectType> `````` <Action>Added</Action> `````` <What>Databases\ReportServer\Stored Procedures\dbo.sp_New</What> `````` <MonitoringPlan> `````` <Name>Integrations and custom sources</Name> `````` </MonitoringPlan> `````` <Where>WKSWin12SQL</Where> `````` <When>2017-02-19T03:43:49-11:00</When> `````` </ActivityRecord> `````` <ActivityRecord> `````` <Action>Modified</Action> `````` <ObjectType>Mailbox</ObjectType> `````` <What>Shared Mailbox</What> `````` <When>2017-02-10T14:46:00Z</When> `````` <Where>BLUPR05MB1940</Where> `````` <Who>admin@enterprise.onmicrosoft.com</Who> `````` <DetailList> `````` <Detail> `````` <PropertyName>Custom_Attribute</PropertyName> `````` <Before>1</Before> `````` <After>2</After> `````` </Detail> `````` </DetailList> `````` </ActivityRecord> `````` </ActivityRecordList>
JSON
`curl -H "Content-Type:application/json; Charset=UTF-8" https://WKSWin2012:9699/netwrix/api/v1/activity_records/?format=json -u Enterprise\NetwrixUser:NetwrixIsCool --data-binary @C:\APIdocs\Input.json` [ `````` { `````` "Who": "Admin", `````` "ObjectType": "Stored Procedure", `````` "Action": "Added", `````` "MonitoringPlan": {"Name": "Integrations and custom sources"}, `````` "What": "Databases\\ReportServer\\Stored Procedures\\dbo.sp_New", `````` "Where": "WKSWin12SQL", `````` "When": "2017-02-19T03:43:49-11:00" `````` }, `````` { `````` "Action": "Modified", `````` "ObjectType": "Mailbox", `````` "What": "Shared Mailbox", `````` "When": "2017-02-10T14:46:00Z", `````` "Where": "BLUPR05MB1940", `````` "Who": "admin@enterprise.onmicrosoft.com", `````` "DetailList": [ `````` { `````` "PropertyName": "Custom_Attribute", `````` "Before": "1", `````` "After": "2" `````` } `````` ] `````` } `````` ]

Ensure to pass information about transferred data, including Content-Type:application/xml or application/json and encoding. The syntax greatly depends on the tool you use.

Step 2 – Receive the response. Below is an example of a successful write request. The status is 200 OK and the body is empty.

HTTP/1.1 200 OK

Server: Microsoft-HTTPAPI/2.0

Content-Length: 0

Content-Type: text/plain

Date: Fri, 08 Apr 2017 13:56:22 GMT
```

__Step 3 –__ Send more POST requests containing Activity Records if necessary.

__Step 4 –__ Check that posted data is now available in the Audit Database. Run a search request to [/netwrix/api/v1/activity_records/search](/docs/auditor/10.7/api-reference/activity-records/searching-records.md) endpoint or use interactive search in the Netwrix Auditor client. For example:

![apiactivity_thumb_0_0](/img/product_docs/auditor/auditor/api/apiactivity_thumb_0_0.webp)

__Step 5 –__ For input Activity Records, the data source is set to Netwrix API.

![apiactivitydetails](/img/product_docs/auditor/auditor/api/apiactivitydetails.webp)

Schema​

Example​

Write Activity Records

Endpoint​

Request Parameters​

Response​

Usage Example—Write Data​