Netwrix Auditor delivers complete visibility into your IT infrastructure. Its convenient interactive search interface enables you to investigate incidents and browse data collected across the entire IT infrastructure. When running a search, you are not limited to a certain data source, change type, or object name. You can create flexible searches that provide you with precise results on who changed what, and when and where each change was made.
NOTE: To review intelligence data, you must be assigned the Global administrator or Global reviewer role in the product. The users assigned the Reviewer role on a certain plan or folder have a limited access to data—only within a delegated scope.
This functionality is currently available for the following data sources:
- Active Directory
- Azure AD
- Exchange Online
- File Servers (Windows File Servers, EMC, and NetApp)
- Network Devices
- Oracle Database
- SharePoint Online
- SQL Server
- Windows Server
- Group Policy
- Logon Activity
- User Activity (Video)
- and Netwrix API—data imported to the Audit Database from other sources using Netwrix Auditor Integration API
Netwrix Auditor Self-Audit
NOTE: Netwrix Auditor shows only the top 2,000 entries in the search results.
The "Netwrix Auditor Self-Audit" option is inabled in Settings by default. Self-audit allows tracking every change to monitoring plan, data source, and audit scope and details about it (before-after values). If you want to skip Netwrix Auditor security events in your seach results, navigate to Settings and disable self audit. See Netwrix Auditor Self-Audit for more information.
- On the main Netwrix Auditor page, navigate to Search.
Do one of the following:
Click Search to see all audit data stored in the Audit Database. Once the data is retrieved, you can exclude certain entries from the results. See Include and Exclude Data for more information.
Add filters to the Search field before you click Search. In this case, only data matching your search criteria will be displayed. See Use Filters (Simple Mode) for more information.
- Select columns to display. In this case, only selected columns will be displayed into the order you prefer. See Customize View for more information.
Review the search results and see details for each particular change or watch a video recording.
- Select the activity record which details you want to review.
- Review activity record and user account details on the right.
- Click Full screen... to see all information regarding this change and copy it if necessary. In case of User Activity entries, click the Show video... link below the entry. Review details and play a video by clicking the Show video on the right.
NOTE: If you are sure that some audit data is missing (e.g., you do not see information on your file servers in reports and search results), verify that the Audit Database settings are configured and that data is written to databases that reside on the default SQL Server instance.
By default, Netwrix Auditor allows generating reports and running interactive searches on data collected in the last 180 days. If you want to investigate incidents that occurred more than 180 days ago, ask your Netwrix Auditor Global administrator to import that data from the Long-Term Archive.
- Use search results for your own needs: save and share results, create search-based subscriptions and alerts, etc. See Make Search Results Actionable for more information.
- By default, each search opens in the same window and overwrites the previous search results. Click Open in new window to compare several searches.