Go Up
You are here: Integration APIPost DataActivity RecordsReference for Creating Activity Records

Reference for Creating Activity Records

The table below describes Activity Record elements.

NOTE: Netwrix recommends limiting the input Activity Records file to 50MB and maximum 1,000 Activity Records.

Element Mandatory Datatype Description
Activity Record main elements

RID

No

string

RID is a unique key of the Activity Record.

The identifier is created automatically when you write an Activity Record to the Audit Database. RID is included in output Activity Records only.

Who

Yes

nvarchar 255

A specific user who made the change (e.g., Enterprise\ Administrator, Admin@enterprise.onmicrosoft.com).

Action

Yes

Activity captured by Netwrix Auditor (varies depending on the data source):

  • Added
  • Add (Failed Attempt)
  • Removed
  • Remove (Failed Attempt)
  • Modified
  • Modify (Failed Attempt)
  • Read
  • Read (Failed Attempt)
  • Moved
  • Move (Failed Attempt)
  • Renamed
  • Rename (Failed Attempt)
  • Checked in
  • Checked out
  • Discard check out
  • Successful Logon
  • Failed Logon
  • Logoff
  • Copied
  • Sent
  • Session start
  • Session end
  • Activated
 

What

Yes

nvarchar
max

A specific object that was changed (e.g., NewPolicy).

When

Yes

dateTime

The moment when the change occurred. When supports the following datetime formats:

  • YYYY-mm-ddTHH:MM:SSZ—Indicates UTC time (zero offset)
  • YYYY-mm-ddTHH:MM:SS+HH:MM—Indicates time zones ahead of UTC (positive offset)
  • YYYY-mm-ddTHH:MM:SS-HH:MM—Indicates time zones behind UTC (negative offset)

Where

Yes

nvarchar 255

A resource where the change was made (e.g., Enterprise-SQL, FileStorage.enterprise.local). The resource name can be a FQDN or NETBIOS server name, Active Directory domain or container, SQL Server instance, SharePoint farm, VMware host, etc.

ObjectType

Yes

nvarchar 255

An type of affected object or its class (e.g., user, mailbox).

Monitoring
Plan

No

nvarchar 255

The Netwrix Auditor object that responsible for monitoring of a given data source and item.

Sub-elements: Name and ID.

NOTE: If you provide a monitoring plan name for input Activity Records, make sure the plan is created in Netwrix Auditor, the Netwrix API data source is added to the plan and enabled for monitoring. In this case, data will be written to the database associated with this plan.

DataSource

No

nvarchar
max

IT infrastructure monitored with Netwrix Auditor (e.g., Active Directory).

For input Activity Records, the data source is automatically set to Netwrix API.

Item

No

nvarchar
max

The exact object that is monitored (e.g., a domain name, SharePoint farm name) or integration name.

Sub-element: Name.

The item type is added inside the name value in brackets (e.g., enterprise.local (Domain)). For input Activity Records, the type is automatically set to Integration, you do not need to provide it. The output Activity Records may contain the following item types depending on the monitoring plan configuration:

  • AD container
  • NetApp
  • Computer
  • Office 365 tenant
  • Domain
  • Oracle Database instance
  • EMC Isilon
  • SharePoint farm
  • EMC VNX/VNXe
  • SQL Server instance
  • Integration
  • VMware ESX/ESXi/vCenter
  • IP range
  • Windows file share

NOTE: If you provide an item name for input Activity Records, make sure this item is included in the monitoring plan within the Netwrix API data source. If you specify an item that does not exist, data will be written to the plan's database anyway but will not be available for search using the Item filter.

Workstation

No

nvarchar
max

An originating workstation from which the change was made (e.g., WKSwin12.enterprise.local).

IsArchiveOnly

No

IsArchiveOnly allows to save Activity Record to the Long-Term Archive only. In this case, these Activity Records will not be available for search in the Netwrix Auditor client.

DetailList

No

Information specific to the data source, e.g., assigned permissions, before and after values, start and end dates. References details.

Detail sub-elements (provided that DetailList exists)

PropertyName

Yes

nvarchar 255

The name of a modified property.

Message

No

string

Object-specific details about the change.

Message is included in output Activity Records only.

Before

No

ntext

The previous value of the modified property.

After

No

ntext

The new value of the modified property.

Go Up