Permissions by Data Collector (Matrix)

The Enterprise Auditor data collectors are capable of collecting information from a variety of sources. Each data collector requires specific protocols, ports, and permissions for the collection of data to occur.

Many data collectors are included as core components. However, some data collectors require specific license features. The following table provides a quick reference for each data collector.

Data Collector	Description	Protocols	Ports Used	Recommended Permissions
ActiveDirectory *requires license	The ActiveDirectory Data Collector audits objects published in Active Directory.	ADSI LDAP RPC	TCP 389/636 TCP 135-139 Randomly allocated high TCP ports	Member of the Domain Administrators group
ADActivity *requires license	The ADActivity Data Collector integrates with the Netwrix Activity Monitor by reading the Active Directory activity log files.	HTTP RPC	TCP 4494 (configurable within the Netwrix Activity Monitor)	Netwrix Activity Monitor API Access activity data Netwrix Activity Monitor API Read Read access to the Netwrix Activity Monitor Log Archive location
ADInventory	The ADInventory Data Collector is designed as a highly scalable and useful data collection mechanism to catalogue user, group, and computer object information that can be used by other solutions within Enterprise Auditor.	LDAP	TCP 389 TCP 135-139 Randomly allocated high TCP ports	Read access to directory tree List Contents & Read Property on the Deleted Objects Container NOTE: See the Microsoft Searching for Deleted Objects article and the Microsoft Dsacls article for additional information.
ADPermissions *requires license	The ADPermissions Data Collector collects the advanced security permissions of objects in AD.	ADSI LDAP RPC	TCP 389 TCP 135 – 139 Randomly allocated high TCP ports	LDAP Read permissions Read on all AD objects Read permissions on all AD Objects
AWS	The AWS Data Collector collects IAM users, groups, roles, and policies, as well as S3 permissions, content, and sensitive data from the target Amazon Web Services (AWS) accounts.	HTTPS	443	To collect details about the AWS Organization, the following permission is required: organizations:DescribeOrganization To collect details regarding IAM, the following permissions are required: iam:GenerateCredentialReport iam:GenerateServiceLastAccessedDetails iam:Get* iam:List* iam:Simulate* sts:GetAccessKeyInfo To collect details related to S3 buckets and objects, the following permissions are required: s3:Describe* s3:Get* s3:HeadBucket s3:List*
AzureADInventory	The AzureADInventory Data Collector catalogs user and group object information from Microsoft Entra ID, formerly Azure Active Directory. This data collector is a core component of Enterprise Auditor and is preconfigured in the .Entra ID Inventory Solution.	HTTP HTTPS REST	TCP 80 and 443	Microsoft Graph API Application Permissions: AuditLog.Read.All – Read all audit log data Directory.Read.All – Read directory data Delegated Permissions: Group.Read.All – Read all groups User.Read.All – Read all users' full profiles Access URLs https://login.windows.net https://graph.windows.net https://login.microsoftonline.com https://graph.microsoft.com All sub-directories of the access URLs listed
Box *requires license	The Box Data Collector audits access, group membership, and content within a Box enterprise.	HTTP HTTPS	TCP 80 TCP 443	Box Enterprise Administrator
CommandLineUtility	The CommandLineUtility Data Collector provides the ability to remotely spawn, execute, and extract data provided by a Microsoft native or third-party command line utility.	Remote Registry RPC	TCP 135-139 Randomly allocated high TCP ports	Member of the local Administrators group
DiskInfo	The DiskInfo Data Collector provides enumeration of disks and their associated properties.	RPC WMI	TCP 135 Randomly allocated high TCP ports	Member of the local Administrators group
DNS *requires license	The DNS Data Collector provides information regarding DNS configuration and records.	RPC	TCP 135 Randomly allocated high TCP ports	Member of the Domain Administrators group
DropboxAccess *requires license	The DropboxAccess Data Collector audits access, group membership, and content within a Dropbox environment.	HTTP HTTPS	TCP 80 TCP443	Dropbox Team Administrator
EventLog	The EventLog Data Collector provides search and extraction of details from event logs on target systems.	RPC WMI	TCP 135 Randomly allocated high TCP ports	Member of the Local Administrators group Member of the Domain Administrators group (if targeting domain controllers)
EWSMailbox *requires license	The EWSMailbox Data Collector provides configuration options to scan mailbox contents, permissions, and sensitive data, and is preconfigured within the Exchange Solution.	HTTPS ADSI LDAP	TCP 389 TCP 443	For Exchange servers: Exchange Admin Role Discovery Management Role Application Impersonation Role Exchange Online License For Exchange Online: Exchange Admin Role Discovery Management Role Exchange Online License
EWSPublicFolder *requires license	The EWSPublicFolder Data Collector provides configuration options to extract public folder contents, permissions, and sensitive data, and is preconfigured within the Exchange Solution.	HTTPS ADSI LDAP	TCP 389 TCP 443	For Exchange servers: Exchange Admin Role Discovery Management Role Application Impersonation Role Exchange Online License with a mailbox For Exchange Online: Exchange Admin Role Discovery Management Role Exchange Online License with a mailbox
Exchange2K *requires license	The Exchange2K Data Collector extracts configuration details from Exchange organizations for versions 2003 and later.	LDAP MAPI PowerShell RPC WMI	TCP 135-139 Randomly allocated high TCP ports TCP 389 Optional TCP 445	Member of the Exchange Administrator group Domain Admin for AD property collection Public Folder Management
ExchangeMailbox *requires license	The ExchangeMailbox Data Collector extracts configuration details from the Exchange Store to provide statistical, content, permission, and sensitive data reporting on mailboxes.	MAPI RPC	TCP 135 Randomly allocated high TCP ports	Member of the Exchange Administrator group Organization Management Discovery Management
ExchangeMetrics *requires license	The ExchangeMetrics Data Collector collects Mail-Flow metrics from the Exchange Message Tracking Logs on the Exchange servers. Some examples of this include server volume and message size statistics.	RPC WMI	TCP 135 Randomly allocated high TCP ports	Member of the local Administrator group on the targeted Exchange server(s)
ExchangePS *requires license	The ExchangePS Data Collector utilizes the Exchange CMDlets to return information about the Exchange environment utilizing PowerShell. This data collector has been designed to work with Exchange 2010 and newer.	PowerShell	TCP 135 Randomly allocated high TCP ports	For Exchange servers: Remote PowerShell enabled on a single Exchange server Windows Authentication enabled for the PowerShell Virtual Directory on the same Exchange server where Remote PowerShell has been enabled View-Only Organization Management Role Group Discovery Search Management Role Group Public Folder Management Role Group Mailbox Search Role For Exchange Online: Discovery Management Role Organization Management Role
ExchangePublicFolder *requires license	The ExchangePublicFolder Data Collector audits an Exchange Public Folder, including contents, permissions, ownership, and replicas.	MAPI RPC	TCP 135 Randomly allocated high TCP ports	Member of the Exchange Administrator group Organization Management
File	The File Data Collector provides file and folder enumeration, properties, and permissions.	RPC WMI	TCP 135-139 Randomly allocated high TCP ports Optional TCP 445	Member of the Local Administrators group
FileSystemAccess (FSAA) *requires license	The FileSystemAccess (FSAA) Data Collector collects permissions, content, and activity, and sensitive data information for Windows and NAS file systems.	Remote Registry WMI	Ports vary based on the Scan Mode Option selected. See the File System Scan Options topic for additional information.	Permissions vary based on the Scan Mode Option selected. See the File System Supported Platforms topic for additional information.
GroupPolicy	The GroupPolicy Data Collector provides the ability to retrieve the GPO’s list in the domain and where they are linked, return information on configured policies and policy parts from the individual policies that have been selected, return information on selected policy parts from all policies within the domain, and return effective security policies in effect at the individual workstation.	LDAP RPC	TCP 389 TCP 135-139 Randomly allocated high TCP ports	Member of the Domain Administrators group (if targeting domain controllers) Member of the Local Administrators group
INIFile	The INIFile Data Collector provides options to configure a task to collect information about log entries on target hosts.	RPC	TCP 135-139 Randomly allocated high TCP ports Optional TCP 445	Member of the Local Administrators group
LDAP	The LDAP Data Collector uses LDAP to query Active Directory returning the specified objects and attributes.	LDAP	TCP 389	Member of the Domain Administrators group
NIS	The NIS Data Collector inventories a NIS domain for user and group information, mapping to Windows-style SIDs.	NIS	TCP 111 or UDP 111 Randomly allocated high TCP ports	No special permissions are needed aside from access to a NIS server
NoSQL	The NoSQL Data Collector for MongoDB provides information on MongoDB Cluster configuration, limited user permissions, scans collections for sensitive data, and identifies who has access to sensitive data.	TCP/IP	MongoDB Cluster Default port is 27017 (A custom port can be configured)	Read Only access to ALL databases in the MongoDB Cluster including: Admin databases Config databases Local databases Read Only access to any user databases is required for sensitive data discovery Read access to NOSQL instance Read access to MongoDB instance Requires NOSQL Full-Text and Semantic Extractions for Search feature to be installed on the target NOSQL instances when using the Scans full rows for sensitive data option on the Options wizard page
ODBC	Queries ODBC compliant databases for tables and table properties	OCBC	TCP 1433	Database Read access
PasswordSecurity	The PasswordSecurity Data Collector compares passwords stored in Active Directory to known, breached passwords in the Netwrix dictionary or custom dictionaries. The PasswordSecurity Data Collector also checks for common misconfigurations with passwords in Active Directory.	LDAP	TCP 389/636	At the domain level: Read Replicating Directory Changes Replicating Directory Changes All Replicating Directory Changes in a Filtered Set Replication Synchronization
PatchCheck	Provides patch verification and optional automatic bulletin downloads from Microsoft	HTTP ICMP RPC	TCP 135-139 Randomly allocated high TCP ports TCP 80 TCP 7	Member of the Local Administrators group
Perfmon	Provides performance monitor counter data samples	RPC	TCP 135-139 Randomly allocated high TCP ports	Member of the Local Administrators group
PowerShell	The PowerShell Data Collector provides PowerShell script exit from Enterprise Auditor.	PowerShell	Randomly allocated high TCP ports	Member of the Domain Administrators group (if targeting domain controllers) Member of the Local Administrators group
Registry	The Registry Data Collector queries the registry and returns keys, key values, and permissions on the keys.	Remote Registry RPC	TCP 135-139 Randomly allocated high TCP ports	Member of the Local Administrators group
Script	The Script Data Collector provides VB Script exit from Enterprise Auditor.	VB Script	Randomly allocated high TCP ports	Member of the Local Administrators group Member of the Domain Administrators group (if targeting domain controllers)
Services	The Services Data Collector enumerates status and settings from remote services.	RPC WMI	TCP 135-139 Randomly allocated high TCP ports	Member of the Local Administrators group
SharePointAccess (SPAA) *requires license	The SharePointAccess (SPAA) Data Collector audits access, group membership, and content within a SharePoint on-premises and SharePoint Online environment. The SPAA Data Collector has been preconfigured within the SharePoint Solution.	MS SQL Remote Registry SP CSOM (Web Services via HTTP & HTTPS) SP Server API WCF AUTH via TCP (configurable)	Ports vary based on the Scan Mode selected and target environment. See the SharePoint Scan Options topic for additional information.	Permissions vary based on the Scan Mode selected and target environment. See the SharePoint Support topic for additional information.
SMARTLog	The SMARTLog Data Collector provides search and extraction of details from Windows Event Logs (online or offline) and Microsoft Exchange Internet Information Server (IIS) logs.	Log Remote Event RPC	TCP 135 TCP 445 Randomly allocated high TCP ports	Member of the Domain Administrators group (if targeting domain controllers) Member of the local Administrators group
SQL *requires license	The SQL Data Collector provides information on database configuration, permissions, data extraction, application name of the application responsible for activity events, an IP Address or Host name of the client server, and sensitive data reports. This data collector also provides information on Oracle databases including infrastructure and operations.	TCP	For Db2 Target: Specified by Instances table (default is 5000) For MySQL Target: Specified by Instances table (default is 3306) For Oracle Target: Specified by Instances table (default is 1521) For PostgreSQL Target: Specified by Instances table (default is 5432) For SQL Target: Specified by Instances table (default is 1433)	For MySQL Target: Read access to MySQL instance to include all databases contained within each instance Windows Only — Domain Admin or Local Admin privilege For Oracle Target: User with SYSDBA role Local Administrator on the target servers – Only applies to Windows Servers and not on Linux or Unix operating systems For PostgreSQL Target: Read access to all the databases in PostgreSQL cluster or instance Windows Only — Domain Admin or Local Admin privilege For Redshift Target: Read-access to the following tables: pg_tables pg_user For SQL Target: For Instance Discovery, local rights on the target SQL Servers: Local group membership to Remote Management Users Permissions on the following WMI NameSpaces: `root\Microsoft\SQLServer, root\interop` For permissions for data collection: Read access to SQL instance Requires SQL Full-Text and Semantic Extractions for Search feature to be installed on the target SQL instance(s) when using the Scan full rows for sensitive data option on the Options wizard page Grant Authenticate Server to [DOMAIN\USER] Grant Connect SQL to [DOMAIN\USER] Grant View any database to [DOMAIN\USER] Grant View any definition to [DOMAIN\USER] Grant View server state to [DOMAIN\USER] Grant Control Server to [DOMAIN\USER] (specifically required for the Weak Passwords Job)
SystemInfo	The SystemInfo Data Collector extracts information from the target system based on the selected category.	Remote Registry RPC WMI	TCP 135-139 Randomly allocated high TCP ports	Member of the Local Administrators group
TextSearch	The TextSearch Data Collector enables searches through text based log files.	RPC	TCP 135-139 Randomly allocated high TCP ports	Member of the Local Administrators group
Unix *requires license	The Unix Data collector provides host inventory, software inventory, and logical volume inventory on UNIX & Linux platforms.	SSH	TCP 22 User configurable	Root permissions in Unix/Linux
UserGroups *requires license	The UsersGroups Data Collector audits user and group accounts for both local and domain, extracting system policies.	RPC SMBV2 WMI	TCP 135-139 Randomly allocated high TCP ports 445	Member of the Local Administrators group If a less-privileged option is required, you can use a regular domain user that has been added to the Network access: Restrict clients allowed to make remote calls to SAM Local Security Policy Member of the Domain Administrators group (if targeting domain controllers)
WMICollector	The WMICollector Data Collector identifies data for certain types of WMI classes and namespaces.	RPC WMI	TCP 135-139 Randomly allocated high TCP ports	Member of the Local Administrators group