Reference for Creating Activity Records
The table below describes Activity Record elements.
Netwrix recommends limiting the input Activity Records file to 50MB and maximum 1,000 Activity Records.
| Element | Mandatory | Datatype | Description |
|---|---|---|---|
| Activity Record main elements | |||
| RID | No | string | RID is a unique key of the Activity Record. The identifier is created automatically when you write an Activity Record to the Audit Database. RID is included in output Activity Records only. |
| Who | Yes | nvarchar 255 | A specific user who made the change (e.g., Enterprise\ Administrator, Admin@enterprise.onmicrosoft.com). |
| Action | Yes | — | Activity captured by Auditor (varies depending on the data source). |
| What | Yes | nvarchar max | A specific object that was changed (e.g., NewPolicy). |
| When | Yes | dateTime | The moment when the change occurred. When supports the following datetime formats. |
| Where | Yes | nvarchar 255 | A resource where the change was made (e.g., Enterprise-SQL, FileStorage.enterprise.local). The resource name can be a FQDN or NETBIOS server name, Active Directory domain or container, SQL Server instance, SharePoint farm, VMware host, etc. |
| ObjectType | Yes | nvarchar 255 | A type of affected object or its class (e.g., user, mailbox). |
| Monitoring Plan | No | nvarchar 255 | The Auditor object that is responsible for monitoring a given data source and item. Sub-elements: Name and ID. If you provide a monitoring plan name for input Activity Records, ensure the plan is created in Auditor, the Netwrix API data source is added to the plan, and enabled for monitoring. This ensures data is written to the database associated with this plan. |
| DataSource | No | nvarchar max | IT infrastructure monitored with Auditor (e.g., Active Directory). For input Activity Records, the data source is automatically set to Netwrix API. |
| Item | No | nvarchar max | The exact object that is monitored (e.g., a domain name, SharePoint farm name) or integration name. Sub-element: Name. The item type is added inside the name value in brackets (e.g., enterprise.local (Domain)). For input Activity Records, the type is automatically set to Integration, you do not need to provide it. The output Activity Records may contain various item types depending on the monitoring plan configuration:
|
| Workstation | No | nvarchar max | An originating workstation from which the change was made (e.g., WKSwin12.enterprise.local). |
| IsArchiveOnly | No | — | IsArchiveOnly allows saving Activity Record to the Long-Term Archive only. In this case, these Activity Records will not be available for search in the Auditor client. |
| DetailList | No | — | Information specific to the data source, e.g., assigned permissions, before and after values, start and end dates. References details. |
| Detail sub-elements (provided that DetailList exists) | |||
| PropertyName | Yes | nvarchar 255 | The name of a modified property. |
| Message | No | string | Object-specific details about the change. Message is included in output Activity Records only. |
| Before | No | ntext | The previous value of the modified property. |
| After | No | ntext | The new value of the modified property. |