Monitored Object Types, Actions, and Attributes
Netwrix Auditor monitored object types, actions, attributes and components for each data source are located in the following topics:
Review the list of actions audited and reported by Netwrix Auditor. Actions vary depending on the data source and the object type.
| Action | Active Directory | Active Directory Federation Services | Exchange Exchange Online | File Servers | Group Policy | Logon Activity | Microsoft Entra ID (formerly Azure AD) | Oracle database | SharePoint SharePoint Online | SQL Server | User Activity | VMware Servers | Windows Server |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| Added | + | - | +* | + | + | – | + | + | + | + | – | + | + |
| Removed | + | - | +* | + | + | – | + | + | + | + | – | + | + |
| Modified | + | – | +* | + | + | – | + | + | + | + | – | + | + |
| Add (failed attempt) | – | – | – | + | – | – | – | + | – | – | – | – | – |
| Remove (failed attempt) | – | – | – | + | – | – | – | + | – | – | – | – | – |
| Modify (failed attempt) | – | – | – | + | – | – | – | + | – | – | – | – | + |
| Read | – | – | +* | + | – | – | – | + | + | – | – | – | – |
| Read (failed attempt) | – | – | – | + | – | – | – | + | – | – | – | – | – |
| Renamed | – | – | – | + | – | – | – | + | +** | – | – | – | – |
| Moved | – | – | +* | + | – | – | – | – | + | – | – | – | – |
| Rename (failed attempt) | – | – | – | + | – | – | – | + | – | – | – | – | – |
| Move (failed attempt) | – | – | – | + | – | – | – | – | – | – | – | – | – |
| Checked in | – | – | – | – | – | – | – | – | + | – | – | – | – |
| Checked out | – | – | – | – | – | – | – | – | + | – | – | – | – |
| Discard check out | – | – | – | – | – | – | – | – | + | – | – | – | – |
| Successful logon | – | + | – | – | – | + | + | + | – | + | – | + | – |
| Failed logon | – | + | – | – | – | + | + | + | – | + | – | +*** | – |
| Logoff | – | – | – | – | – | – | – | + | – | – | – | – | – |
| Copied | – | – | +* | + | – | – | – | – | +** | – | – | – | – |
| Sent | – | – | +* | – | – | – | – | – | – | – | – | – | – |
| Activated | – | – | – | – | – | – | – | – | – | – | + | – | – |
| Support for state-in-time data collection | + | – | + | + | + | - | + | - | + | - | - | + | + |
* —these actions are reported when auditing non-owner mailbox access for Exchange or Exchange Online.
** — these actions are reported for SharePoint Online only.
*** — Auditor will not collect data on Failed Logon event for VMware in case of incorrect logon attempt through VMware vCenter Single Sign-On; also, it will not collect logons using SSH.