This means you can access Auditor investigation data via AI tools like Claude Desktop—without writing a single query. Simply ask questions in plain English — or any language you prefer — and get immediate, actionable answers. This enables you to quickly search for specific events without deep expertise in the Netwrix Auditor search interface, formulate complex searches across multiple criteria and fields, or identify patterns by correlating different activity events.
You remain in full control of the integration: the MCP server is deployed in your environment, you decide what data is accessible to AI tools, and all queries are logged and auditable—giving you speed and visibility without sacrificing oversight.
What You Can Do with MCP + Netwrix Auditor
Use natural language prompts to unlock insights from Netwrix Auditor investigations.
Here are just a few examples of questions you can ask:
“Find activities related to the document ‘ProjectPhoenix.docx’ in SharePoint Online.”
“Find all activities by ‘contractor_X’ involving file servers between 9 PM and 6 AM last week.”
“List file access attempts on server ‘FS-HR’ immediately following failed logon events for the same user.”
Key Limitations
It’s important to understand what the MCP server cannot do:
No State-in-Time (SIT) Data Access: The server cannot retrieve or analyze point-in-time snapshots. It cannot answer questions like “Who currently has access to this folder?” or “Who were the members of the ‘Admin’ group last Tuesday?”
No Configuration Capabilities: The server cannot be used to configure Netwrix Auditor.
Read-Only Access: The server only provides read access to historical activity records.
Historical Data Only: The server queries existing audit data; it does not provide real-time monitoring or alerting.
How to Get Started
This integration is available now on GitHub. To try it, you’ll need:
Netwrix Auditor installed and populated with data
An MCP-compatible AI tool—such as Claude Desktop, Claude for Work, or Microsoft Copilot Studio
Basic familiarity with Python or container tools
Access the MCP Server Implementation Here:
We’d Love to Hear From You
We’re always happy to hear from our users—what you like and what you hope to see in the future. Please share your thoughts below, and you might see one of your suggestions implemented soon!
I would like to add my notes after start testing integration. Maybe are silly ones, but was my first time with Claude and MCP integration at all, these comments can help other people.
When I tried first build I get error " Could not resolve SDK “WixToolset.Sdk” […]". Resolution steps are the following:
After dowloading Claude, I could not find file “claude_desktop_config.json”, it became visible only after setting up integration from general settings, below screenshots (sorry are in Italian":
Keep attention if you have blanks into your path! It happens in my case and I had to add double quote with escape character into json file.
Anyway, I still have some errors when I try to integrate custom MCP Server, below an extract from “mcp-server-netwrix-auditor-local.log” log: [netwrix-auditor-local] [error] Unexpected token ‘C’, “C:\Program”… is not valid JSON […]
[netwrix-auditor-local] [info] Server transport closed unexpectedly, this is likely due to the process exiting early. If you are developing this MCP server you can add output to stderr (i.e. console.error('...') in JavaScript, print('...', file=sys.stderr) in python) and it will appear in this log.
Did anyone experienced something similar? I can run the project properly from command line with same command run into MCP integration.
Thank you in advance for any help!
Hope my feedbacks can be useful.
It’s great that the project builds successfully from the command line — that’s an important step and confirms everything compiles correctly.
The errors you’re seeing in Claude Desktop are likely caused by Claude trying to build the project itself and intercepting the output stream — which may include symbols or logs it doesn’t expect. To avoid this, you can disable the build step by adding --no-build to the args section in your claude_desktop_config.json. This tells Claude to run the already-built version of the server without rebuilding it.
This should prevent Claude Desktop from interfering with the startup and eliminate the JSON-related errors.
We apologize for the inconvenience. We’ll incorporate your feedback into the documentation, and we’re already working on a more user-friendly installer to simplify this setup process.
your suggestion was perfect!
I solved the issue related to browsing something in C: drive.
I still have a project error that I was only able to resolve by removing spaces from the project path, so my last suggestion is to permanently save the project to a path without spaces.
The integration is now working properly!
Thank you very much