Netwrix Auditor now supports natural language querying of Auditor investigation data through integration with the Model Context Protocol (MCP).

Auditor MCP1333×800 163 KB

This means you can access Auditor investigation data via AI tools like Claude Desktop—without writing a single query. Simply ask questions in plain English — or any language you prefer — and get immediate, actionable answers. This enables you to quickly search for specific events without deep expertise in the Netwrix Auditor search interface, formulate complex searches across multiple criteria and fields, or identify patterns by correlating different activity events.

You remain in full control of the integration: the MCP server is deployed in your environment, you decide what data is accessible to AI tools, and all queries are logged and auditable—giving you speed and visibility without sacrificing oversight.

What You Can Do with MCP + Netwrix Auditor

Use natural language prompts to unlock insights from Netwrix Auditor investigations.

Here are just a few examples of questions you can ask:

• “Find activities related to the document ‘ProjectPhoenix.docx’ in SharePoint Online.”
• “Find all activities by ‘contractor_X’ involving file servers between 9 PM and 6 AM last week.”
• “List file access attempts on server ‘FS-HR’ immediately following failed logon events for the same user.”

Key Limitations

It’s important to understand what the MCP server cannot do:

• No State-in-Time (SIT) Data Access: The server cannot retrieve or analyze point-in-time snapshots. It cannot answer questions like “Who currently has access to this folder?” or “Who were the members of the ‘Admin’ group last Tuesday?”
• No Configuration Capabilities: The server cannot be used to configure Netwrix Auditor.
• Read-Only Access: The server only provides read access to historical activity records.
• Historical Data Only: The server queries existing audit data; it does not provide real-time monitoring or alerting.

How to Get Started

This integration is available now on GitHub. To try it, you’ll need:

• Netwrix Auditor installed and populated with data
• An MCP-compatible AI tool—such as Claude Desktop, Claude for Work, or Microsoft Copilot Studio
• Basic familiarity with Python or container tools

Access the MCP Server Implementation Here:

We’d Love to Hear From You

We’re always happy to hear from our users—what you like and what you hope to see in the future. Please share your thoughts below, and you might see one of your suggestions implemented soon!

I would like to add my notes after start testing integration. Maybe are silly ones, but was my first time with Claude and MCP integration at all, these comments can help other people.

1. When I tried first build I get error " Could not resolve SDK “WixToolset.Sdk” […]". Resolution steps are the following:

• Add the source and the download dependencies:

dotnet nuget add source https://api.nuget.org/v3/index.json -n nuget.org
dotnet tool install --global wix

• Publish application before creating installer:

cd "<your-project-path>\mcp-server-auditor"
dotnet publish -c Release -r win-x64 --self-contained true
dotnet build SetupProject/SetupProject.wixproj -c Release

2. After dowloading Claude, I could not find file “claude_desktop_config.json”, it became visible only after setting up integration from general settings, below screenshots (sorry are in Italian":
   
   

   The image displays a dark-themed dropdown menu from a software application, featuring options such as "File," "Modify," "Settings," "Close," and "Exit," with corresponding keyboard shortcuts listed. (Captioned by AI)522×236 33.7 KB
   
   
   

   image709×392 50.7 KB

Keep attention if you have blanks into your path! It happens in my case and I had to add double quote with escape character into json file.

Anyway, I still have some errors when I try to integrate custom MCP Server, below an extract from “mcp-server-netwrix-auditor-local.log” log:
[netwrix-auditor-local] [error] Unexpected token ‘C’, “C:\Program”… is not valid JSON […]
[netwrix-auditor-local] [info] Server transport closed unexpectedly, this is likely due to the process exiting early. If you are developing this MCP server you can add output to stderr (i.e. console.error('...') in JavaScript, print('...', file=sys.stderr) in python) and it will appear in this log.

Did anyone experienced something similar? I can run the project properly from command line with same command run into MCP integration.

Thank you in advance for any help!
Hope my feedbacks can be useful.

Veronica

Hey Veronica. Thank you for the notes! These are great and I’d like to get them added to the guide.

Just to clarify, you can launch the MCP server fine from the command line, but still running into issues using it with Claude Desktop?

Hello Brett,
If I run the project from cmd with the following command:

dotnet run --project "E:\MCP Netwrix server\mcp-server-auditor\NetwrixAuditorMCPServer.csproj" -e NETWRIX_API_URL="https://localhost:9699" -e NETWRIX_API_USERNAME="MYUSER" -e NETWRIX_API_PASSWORD="MYPASSWORD"

I have no error (but also no result at all), trying with verbose option this is the output:

The image displays a command line interface showing the successful build process of a .NET project named "NetwrixAuditorMCPSERVER" with a few warnings, but no errors. (Captioned by AI)1242×639 276 KB

Into Claude I always get this error at startup:

The image displays error messages from an MCP Netwrix Auditor interface indicating an invalid JSON format and a disconnected server, along with a prompt for troubleshooting guidance. (Captioned by AI)530×241 49.3 KB

But I cannot understand in which json is looking for a path into C drive.

Hello Veronica,

It’s great that the project builds successfully from the command line — that’s an important step and confirms everything compiles correctly.

The errors you’re seeing in Claude Desktop are likely caused by Claude trying to build the project itself and intercepting the output stream — which may include symbols or logs it doesn’t expect. To avoid this, you can disable the build step by adding --no-build to the args section in your claude_desktop_config.json. This tells Claude to run the already-built version of the server without rebuilding it.

Here’s the full config example:

{
  "mcpServers": {
    "netwrix-auditor-local": {
      "command": "dotnet",
      "args": [
        "run",
        "--no-build",
        "--project",
        "E:\\MCP Netwrix server\\mcp-server-auditor\\NetwrixAuditorMCPServer.csproj"
      ],
      "cwd": "E:\\MCP Netwrix server\\mcp-server-auditor",
      "env": {
        "NETWRIX_API_URL": "https://localhost:9699",
        "NETWRIX_API_USERNAME": "MYUSER",
        "NETWRIX_API_PASSWORD": "MYPASSWORD"
      }
    }
  }
}

This should prevent Claude Desktop from interfering with the startup and eliminate the JSON-related errors.

We apologize for the inconvenience. We’ll incorporate your feedback into the documentation, and we’re already working on a more user-friendly installer to simplify this setup process.

Let us know if you run into anything else!

Hey Eugene,

your suggestion was perfect!
I solved the issue related to browsing something in C: drive.
I still have a project error that I was only able to resolve by removing spaces from the project path, so my last suggestion is to permanently save the project to a path without spaces.
The integration is now working properly!
Thank you very much