Netwrix Auditor is one of the longest-running and most mature audit and activity-monitoring platforms in the enterprise market. It covers Active Directory reporting, on-premises file-server activity, Microsoft 365 (Entra ID, Exchange, SharePoint, OneDrive, Teams), SQL Server, VMware, Oracle, and a long tail of additional systems. Its strength is deep regulator-style audit archives — year over year of who-changed-what evidence that satisfies the most demanding compliance questions. The cost is enterprise pricing, per-data-source and per-Entra-ID-user, and a product surface area that typically needs dedicated administration.
Lavawall® covers the same activity-monitoring categories that matter most to MSPs — AD & M365 user reporting, on-premises file change monitoring, SharePoint and OneDrive activity, and Google Drive activity — and ships them inside a broader MSP platform that also handles patching, breach detection, M365 / Entra / Azure configuration backup and rollback, GRC compliance, helpdesk, and remote support. Pricing is per-tenant with published CAD and USD rates. Multi-tenant by design.
The honest answer for most MSPs and lean IT teams is that Lavawall® covers the activity-monitoring use cases you actually deliver to clients without the procurement and operational overhead of an enterprise audit-archive platform. The honest answer for enterprises with regulator-mandated multi-year audit retention on very specific systems is that Netwrix Auditor is still a defensible choice.
Where Lavawall® wins
Bundled with the rest of the MSP platform. Activity monitoring is one Lavawall® capability; the same agent and console handle 7,500+ application patching, M365 / Entra / Azure breach detection, M365 configuration backup and rollback, GRC compliance for 15+ frameworks, helpdesk, and remote support. One console, one bill, one vendor relationship instead of stacking Netwrix alongside an RMM, a GRC tool, a breach-detection product, and so on.
Multi-tenant by design. Lavawall® was built for MSP delivery from day one. One technician sees inactive-user lists, privilege-creep reports, file-share activity, and external-sharing events across every client tenant from one console. Per-tenant filters, per-client co-branding, and per-tenant billing are core data-model features, not add-ons.
MSP-native pricing. Pricing is per-tenant with public CAD and USD rates on the pricing page. Multiple modules are bundled. Native CAD billing, no foreign-exchange surprises. Netwrix Auditor is sold per data source and per Entra ID user with enterprise quotes; for SMB-served MSP clients, Lavawall® is materially less expensive at equivalent functional scope.
Cross-platform endpoint coverage. The Lavawall® agent runs on Windows, macOS, and Linux endpoints and servers. File-change monitoring covers all three; event-log analytics covers all three; the agent also handles patching, configuration assessment, and application control on all three. Netwrix is strongest on Windows endpoints and file servers.
M365 / Entra / Azure configuration backup with rollback. Lavawall® snapshots ~30 object types across Microsoft 365, Entra ID, Intune, and Azure subscriptions and offers a plan-approve-execute rollback workflow. Netwrix Auditor records changes but does not provide structured rollback — the audit archive tells you what happened; Lavawall® lets you undo it.
Built by an audit firm. ThreeShield Information Security Corporation — the Calgary-based audit firm that built Lavawall® — performs cybersecurity audits against NIST, CMMC, SOC 2, HIPAA, ISO 27001, and the Canadian privacy bundle. The things Lavawall® reports on are the things ThreeShield's auditors found broken year after year in client environments. CISSP- and CISA-credentialled staff.
Where Netwrix Auditor wins
Deep regulator-style audit archive. Netwrix Auditor is built for the auditor who wants every attribute write on every domain controller archived for seven years and filterable in dozens of ways. If long-term audit-archive retention on a specific data source is a regulator-mandated requirement, Netwrix is the right tool.
Mature enterprise data-source coverage. Netwrix Auditor ships connectors for SQL Server, Oracle, VMware, Windows Server in general, file appliances (NetApp, Dell EMC Isilon, Nutanix Files, Nasuni, Qumulo), and similar enterprise systems that Lavawall® does not currently target. For MSPs serving enterprise clients with those systems, Netwrix has coverage Lavawall® doesn't.
RBAC and delegated administration for large teams. Enterprise Netwrix deployments scale to dozens of analysts with per-data-source and per-report RBAC. Lavawall®'s MSP-channel RBAC is fit for typical MSP team sizes; very large enterprise deployments may find Netwrix's RBAC more granular.
Group Policy and Active Directory schema depth. Netwrix Auditor has deep Group Policy Object change tracking and AD schema modification auditing. Lavawall® covers AD users and groups but does not currently track GPO contents at the policy-setting level.
Feature comparison
| Feature | Lavawall® | Netwrix Auditor |
|---|---|---|
| On-premises Active Directory reporting | Yes — user-reporting module | Yes — flagship strength |
| Microsoft 365 / Entra ID user reporting | Yes | Yes |
| Google Workspace user reporting | Yes | Limited |
| Inactive-user detection (AD + M365 + Google Workspace) | Yes — one unified report | Yes per platform |
| Privilege creep / group membership change | Yes | Yes — deep audit archive |
| Windows file-server FIM (creates, writes, deletes, ACL changes) | Yes | Yes |
| Linux file-server FIM | Yes — agent on Debian / RHEL families | Limited |
| macOS file-change monitoring on endpoints | Yes — Endpoint Security framework | No |
| SharePoint Online file activity monitoring | Yes | Yes |
| OneDrive for Business activity monitoring | Yes | Yes |
| Google Drive / Shared Drive change monitoring | Yes | Limited |
| External-sharing visibility (M365 + Google) | Yes | Yes for M365; limited for Google |
| Mass-download / departing-employee detection | Yes — predefined patterns | Manual report construction typical |
| Audit-log retention beyond Microsoft's 90–180 days | Yes — contract term | Yes — deep archive |
| Cross-platform patching (Windows / macOS / Linux) | Yes — 7,500+ apps | No |
| GRC framework mapping (15+ frameworks) | Yes | Limited — some reports |
| M365 / Entra / Azure configuration backup & rollback | Yes — ~30 object types with plan/approve/execute | No |
| Multi-tenant ITDR breach detection | Yes | Limited; Netwrix Threat Manager is a separate product |
| Kernel-free application control | Yes | No |
| Bundled smart helpdesk & multi-tenant remote support | Yes | No |
| Endpoint event-log analytics (Windows / macOS / Linux) | Yes | Windows event log via Netwrix Auditor |
| Multi-tenant for MSP delivery (one console, all clients) | Yes — design point | Limited — enterprise single-tenant heritage |
| Pricing model | Per-tenant, published CAD & USD | Per data source, per user; enterprise quote |
| Native CAD billing | Yes | No |
Who should pick which?
Pick Lavawall® if…
MSPs serving SMB and mid-market clients who want AD reporting, file activity monitoring, and SharePoint/Drive activity as part of one MSP platform that also handles patching, GRC, breach detection, and helpdesk.
Teams that need cross-platform endpoint coverage (Windows + macOS + Linux) and a single agent for all of it.
MSPs that need M365 / Entra / Azure configuration backup and rollback in addition to activity monitoring.
Buyers who want public per-tenant pricing in CAD and USD rather than enterprise quotes.
Pick Netwrix Auditor if…
Enterprises with regulator-mandated multi-year audit-archive retention on specific data sources (SQL Server, Oracle, VMware, enterprise file appliances) that Lavawall® does not currently target.
Organisations whose primary use case is deep AD attribute-write archives and Group Policy change tracking for forensic audit defence.
Teams that already operate Netwrix and want a single audit-archive platform spanning many enterprise data sources beyond the AD-plus-M365-plus-files surface most MSPs need.
Frequently asked
- Is Netwrix Auditor the same product category as Lavawall®?
- Partially. Netwrix Auditor covers AD reporting, file-server activity, Microsoft 365 activity, SharePoint activity, and similar audit-archive use cases. Lavawall® covers the same activity monitoring categories (AD & M365 user reporting, on-prem file change monitoring, SharePoint and OneDrive monitoring, Google Drive monitoring) plus modules Netwrix does not ship at all — patching, GRC framework mapping, breach detection, M365 / Entra / Azure configuration backup and rollback, helpdesk, and remote support. Netwrix is the better fit when long-term audit-archive retention and regulator-style reporting are the primary requirement. Lavawall® is the better fit when an MSP wants one platform for those activities and the rest of cybersecurity operations.
- What about Netwrix's specialised products (Threat Manager, PolicyPak, GroupID)?
- Netwrix has acquired several adjacent products and now markets a wider portfolio than Netwrix Auditor alone. Lavawall® competes with Netwrix Auditor (the audit-and-reporting flagship); the adjacent products (privileged access, GPO management, identity governance) overlap with other Lavawall® modules to varying degrees. The comparison on this page focuses on Netwrix Auditor.
- How does pricing compare?
- Netwrix Auditor is sold per data source and per Entra ID user with enterprise-quote sizing typical of audit-archive vendors. Lavawall® is per-tenant with published CAD and USD pricing on the public pricing page; multiple modules are bundled at no extra cost. For SMB-served MSP clients, Lavawall® is materially less expensive at equivalent functional scope. For enterprises with deep audit-archive requirements that Netwrix specifically handles, Netwrix Auditor remains a defensible choice.
- Can I run both?
- You can. Some MSPs do run Lavawall® alongside Netwrix Auditor: Lavawall® for the day-to-day MSP-channel reporting and the rest of the platform; Netwrix Auditor for the long-term regulator-style audit archive on specific high-stakes systems. The data sources do not interfere with each other — both read from the same OS and cloud audit logs.
- What is Netwrix Change Tracker?
- Netwrix Change Tracker (formerly NNT Change Tracker) is a separate Netwrix product focused on file integrity monitoring and configuration assessment, distinct from Netwrix Auditor. It competes more directly with Lavawall®'s file change monitoring and configuration vulnerability modules. The comparison points on this page apply with similar weighting.
Related Lavawall® pages
- AD & M365 user reporting
- On-premises file change monitoring
- SharePoint & OneDrive file-change monitoring
- Google Drive change monitoring
- M365 / Entra / Azure configuration change monitoring & rollback
- Lavawall® vs ManageEngine ADAudit Plus
- Lavawall® vs Quest Change Auditor
- Lavawall® vs Varonis
- Lavawall® pricing