MCP Server for Netwrix Auditor
Download from the Netwrix GitHub: GitHub - netwrix/mcp-server-auditor: An MCP server for Netwrix Auditor.
The Auditor MCP Server allows AI tools, such as Claude Desktop, to query and analyze historical Activity Records collected by your Netwrix Auditor instance. This facilitates streamlined investigations and complex data retrieval using natural language queries.
Prerequisites
Before proceeding with the installation, please ensure you have the following:
- A functioning Netwrix Auditor 10.6 or later installation actively collecting audit data.
- An installed MCP-compatible client application (e.g., Claude Desktop).
- Credentials for a Netwrix Auditor user account with sufficient permissions to read audit data (Activity Records) via Netwrix Auditorâs underlying mechanisms (e.g., API or database access, depending on server implementation).
Installation
This section describes how to set up the Netwrix Auditor MCP Server to run locally from source code for use with Claude Desktop.
Option 1: Local Installation from Source
This method involves downloading (or cloning) the serverâs source code and configuring Claude Desktop to run it directly using the dotnet command, with connection settings provided via environment variables.
Prerequisites:
- .NET SDK (ensure the version meets the serverâs requirements, e.g., 9.0 or later) installed. Download from https://dotnet.microsoft.com/download.
- Git installed (if you need to clone the repository). Download from https://git-scm.com/.
- Source code for the MCP server (either downloaded as a ZIP or cloned using Git).
Steps:
-
Get the Source Code:
-
If using Git: Open your terminal, navigate to where you want to store the code, and clone the repository:
# Replace with the actual URL of the C# MCP server repository git clone https://github.com/netwrix/mcp-server-auditor.git # Navigate into the root directory of the cloned repository cd mcp-server-auditor -
If downloaded as ZIP: Extract the ZIP file to a known location on your computer. Open your terminal and navigate into the extracted folder (the one containing the solution
.slnor project.csprojfile).
-
-
Identify Project Path:
- Locate the main server project file within the source code. This file usually has a
.csprojextension (e.g.,NetwrixAuditorMCPServer.csproj). - Note the full, absolute path to this
.csprojfile. You will need it later. - (Note: No manual configuration files need editing here; settings will be provided via Claude Desktop config).
- Locate the main server project file within the source code. This file usually has a
-
Build (Optional but Recommended First Time):
-
While
dotnet runcan build automatically, itâs good practice to run a build initially to download dependencies and check for errors. Navigate to the directory containing the.csprojfile if you arenât already there.dotnet build
-
-
Configure Claude Desktop:-
Locate and open the Claude Desktop configuration file (
claude_desktop_config.json) in a text editor.- Windows:
%APPDATA%\Claude\claude_desktop_config.json - macOS:
~/Library/Application Support/Claude/claude_desktop_config.json
- Windows:
-
If the file or the
mcpServerssection doesnât exist, create the basic structure:{"mcpServers": {}}. -
Add or modify the
mcpServerssection to include the configuration for running your server directly from source:{ "mcpServers": { "netwrix-auditor-local": { "command": "dotnet", "args": [ "run", "--project", "C:\\path\\to\\your\\cloned\\repo\\YourServerProject\\YourServerProject.csproj" ], "cwd": "C:\\path\\to\\your\\cloned\\repo\\YourServerProject", "env": { "NETWRIX_API_URL": "https://your-netwrix-server:9699", "NETWRIX_API_USERNAME": "domain\\user", "NETWRIX_API_PASSWORD": "YOUR_NETWRIX_PASSWORD" } } } }
Recommendations for Configuring the MCP Server
- Server Name
- Use a descriptive key name for the MCP server, e.g., ânetwrix-auditor-localâ.
- Command
- Set âdotnetâ as the command if youâre running a .NET Core or .NET project.
- Arguments (args)
- Include ârunâ and ââprojectâ followed by the absolute path to your serverâs .csproj file.
- Replace the example paths in
"args"(the path to the.csprojfile) and"cwd"(the path to the directory containing the.csprojfile) with the correct absolute paths on your system. - Example paths:
- Windows:\nC:\\path\\to\\your\\cloned\\repo\\YourServerProject\\YourServerProject.csproj
- macOS/Linux:\n/Users/yourname/path/to/cloned/repo/YourServerProject/YourServerProject.csproj
- Optionally, you may add ââno-buildâ if you prefer to build the project manually in advance.
- Working Directory (cwd)
- This should point to the directory containing the .csproj file.
- Environment Variables (env)
- Provide Netwrix API connection details:
- NETWRIX_API_URL: Your Netwrix API server URL (e.g., https://your-netwrix-server:9699)
- NETWRIX_API_USERNAME: Your Netwrix username (e.g., domain\\user)
- NETWRIX_API_PASSWORD: Your Netwrix password
- Add any additional environment variables required by your server logic.
- Ensure the environment variable names (
NETWRIX_API_URL, etc.) exactly match what the server application expects to read. - Replace the placeholder values (
YOUR_NETWRIX_...) in the"env"section with your actual Netwrix Auditor API endpoint and credentials. Be careful with storing passwords directly in configuration files. Consider security implications.
- Provide Netwrix API connection details:
- Additional Servers (Optional)
- You can define multiple MCP servers by adding more entries under the mcpServers object.
-
-
Restart Claude Desktop:- Completely close the Claude Desktop application.
- Reopen Claude Desktop.
-
Verify Server Operation:- Claude Desktop should now launch the server using
dotnet runwith the specified project and environment variables. - Check for the tools icon (
) in Claude Desktop, click it, and verify that the serverâs tools are listed. - Test a tool by asking a relevant question.
- Claude Desktop should now launch the server using
Option 2: Using Docker
This method runs the MCP server inside a Docker container, providing environment isolation. This is suitable if a Docker image for the server is available and you prefer containerization.
Prerequisites:
- Docker installed and running. Get Docker from https://www.docker.com/products/docker-desktop/.
- The name of the official Docker image for the Netwrix Auditor MCP server (e.g.,
netwrix/auditor-mcp-server:latest- Note: You must replace this with the actual, correct image name if provided by the serverâs developers).
Steps:
-
Pull the Docker Image (Optional but Recommended):
# Replace with the correct image name and tag docker pull netwrix/auditor-mcp-server:latest -
Configure Claude Desktop: Edit the
claude_desktop_config.jsonfile (see paths in Option 1 - Step 4). Add or modify themcpServerssection to tell Claude Desktop how to start the container:{ "mcpServers": { "netwrix-auditor-docker": { "command": "docker", "args": [ "run", "--rm", "-i", "-p", "127.0.0.1:50051:50051", "-e", "NETWRIX_ENDPOINT=YOUR_API_SERVER", "-e", "NETWRIX_USER=YOUR_USERNAME", "-e", "NETWRIX_PASSWORD=YOUR_PASSWORD", "netwrix/auditor-mcp-server:latest" ] } } }
Recommendations for Configuring the Docker-based MCP Server- Server Key
- Use a descriptive key (e.g., ânetwrix-auditor-dockerâ) to identify the server configuration.
- Replace
netwrix/auditor-mcp-server:latestwith the correct Docker image name.
- Command
- Set âdockerâ as the command to run a containerized MCP server.
- Arguments (args)
- ârunâ: Start a new container.
- âârmâ: Automatically remove the container when it exits (cleans up resources).
- â-iâ: Keeps STDIN open, which is required for interactive services like MCP.
- Port Mapping
- Use â-pâ, â127.0.0.1:50051:50051â to:
- Expose the MCP port only on the local machine.
- Adjust the port if your MCP server uses a different one.
- Use â-pâ, â127.0.0.1:50051:50051â to:
- Environment Variables
- Use â-eâ to pass configuration values into the container.
- Replace
YOUR_API_ENDPOINT,YOUR_USERNAME,YOUR_PASSWORDwith your actual Netwrix Auditor connection details:- NETWRIX_ENDPOINT: The URL or hostname of your Netwrix API server.
- NETWRIX_USER: The username for authentication (e.g., domain\\user).
- NETWRIX_PASSWORD: The userâs password.
- Add other environment variables as needed (e.g., âASPNETCORE_ENVIRONMENT=Productionâ).
- Verify the expected environment variable names (
NETWRIX_ENDPOINT, etc.) and the container port (50051in the example) from the serverâs documentation. Adjust the-pmapping if needed.
- Docker Image
- Specify the Docker image name and tag to run (e.g., ânetwrix/auditor-mcp-server:latestâ).
- Make sure this matches the image available in your registry or environment.
- Additional Servers (Optional)
- Add more server configurations inside the mcpServers object as needed.
- Server Key
-
Restart Claude Desktop: Close and reopen the application. Claude Desktop will now execute the
docker runcommand to start the server in a container. You can verify its operation as described in Step 6 of Option 1.
Querying Activity Records
The primary and sole function of this MCP server is to provide access to Netwrix Auditor Activity Records. It allows you to query the historical log of actions (âwho did what, where, and whenâ) that have occurred within your monitored IT environment.
You can filter searches based on standard Netwrix Auditor fields, including:
- Who: The user or entity that performed the action.
- Object type: The type of object affected (e.g., File, Folder, User, Group, Mailbox, Registry Key).
- Action: The specific operation performed (e.g., Modified, Added, Removed, Read, Failed Logon, Renamed).
- What: Details about the object involved or the specifics of the change.
- Where: The location, system, or target where the action occurred.
- When: A specific date or time range.
- Data source: The origin of the audit data (e.g., Active Directory, File Servers, Exchange Online, Azure AD, SQL Server, VMware).
- Monitoring plan: The specific Netwrix Auditor monitoring plan that collected the data.
Use Cases and Benefits
-
Streamlined Investigations: Quickly search for specific events using natural language without needing deep expertise in the Netwrix Auditor search interface. Ask questions like:
âShow all file deletions on the finance share yesterday.â âList failed logon attempts for
'admin_user'last week.â âWho modified the'Domain Admins'group membership on March 26th, 2020?â âFind activities related to the document'ProjectPhoenix.docx'in SharePoint Online.â -
Complex Queries: Leverage the
LLMâs capabilities to formulate searches combining multiple criteria across different fields.âShow permission changes on SQL server
'SQL01'performed by users outside the IT department in the last month.â âFind all activities by'contractor_X'involving file servers between 9 PM and 6 AM last week.â -
Correlating Activity Records: Identify patterns by linking different activity events.
âShow successful logons for users who were recently added to the
'Remote Access'AD group.â âList file access attempts on server'FS-HR'immediately following failed logon events for the same user.â
Questions
If you need help using this MCP server or understanding your results, just reach out. Weâre happy to help!