Go Up
You are here: Integration APIPost DataSearch ParametersFilters

Filters

Review the table below to learn more about filters. The filters correspond to Activity Record fields.

Filter Description Supported Operators

RID

Limits your search to a unique key of the Activity Record.

Max length: 49.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

Who

Limits your search to a specific user who made the change (e.g., Enterprise\ Administrator, administrator@enterprise.onmicrosoft.com).

Max length: 255.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

Where

Limits your search to a resource where the change was made (e.g., Enterprise-SQL, FileStorage.enterprise.local).

The resource name can be a FQDN or NETBIOS server name, Active Directory domain or container, SQL Server instance, SharePoint farm, VMware host, etc.

Max length: 255.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

ObjectType

Limits your search to objects of a specific type only (e.g., user).

Max length: 255.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

What

Limits your search to a specific object that was changed (e.g., NewPolicy) .

Max length: 1073741822.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

DataSource

Limits your search to the selected data source only (e.g., Active Directory).

Max length: 1073741822.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

Monitoring
Plan

Limits your search to a specific plan—Netwrix Auditor object that governs data collection.

Max length: 255.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

Item

Limits your search to a specific item—object of monitoring—and its type provided in brackets.

The following item types are available:

  • AD container
  • NetApp
  • Computer
  • Office 365 tenant
  • Domain
  • Oracle Database instance
  • EMC Isilon
  • SharePoint farm
  • EMC VNX/VNXe
  • SQL Server instance
  • Integration
  • VMware ESX/ESXi/vCenter
  • IP range
  • Windows file share

Max length: 1073741822.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

Workstation

Limits your search to an originating workstation from which the change was made (e.g., WKSwin12.enterprise.local).

Max length: 1073741822.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

Detail

Limits your search results to entries that contain the specified information in Detail. Normally contains information specific to your data source, e.g., assigned permissions, before and after values, start and end dates.

This filter can be helpful when you are looking for a unique entry.

Max length: 1073741822.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

Before

Limits your search results to entries that contain the specified before value in Detail.

Max length: 536870911.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

After

Limits your search results to entries that contain the specified after value in the Detail.

Max length: 536870911.

  • Contains (default)
  • DoesNotContain
  • Equals
  • NotEqualTo
  • StartsWith
  • EndsWith

Action

Limits your search results to certain actions:

  • Added
  • Add (Failed Attempt)
  • Removed
  • Remove (Failed Attempt)
  • Modified
  • Modify (Failed Attempt)
  • Read
  • Read (Failed Attempt)
  • Moved
  • Move (Failed Attempt)
  • Renamed
  • Rename (Failed Attempt)
  • Checked in
  • Checked out
  • Discard check out
  • Successful Logon
  • Failed Logon
  • Logoff
  • Copied
  • Sent
  • Session start
  • Session end
  • Activated
 

  • Equals (default)
  • NotEqualTo

When

Limits your search to a specified time range.

Netwrix Auditor allows defining the When filter in two ways simultaneously. You can select a timeframe modifier (one of the enumerated values) for the When and values in the To and From.

To and From support the following date time formats:

  • YYYY-mm-ddTHH:MM:SSZ—Indicates UTC time (zero offset)
  • YYYY-mm-ddTHH:MM:SS+HH:MM—Indicates time zones ahead of UTC (positive offset)
  • YYYY-mm-ddTHH:MM:SS-HH:MM—Indicates time zones behind UTC (negative offset)
  1. Within timeframe:
  • Today
  • Yesterday
  • LastSevenDays
  • LastThrityDays
  1. "From..To" interval

Go Up