Release Notes
Quest® Quest On Demand Audit
Quest® Quest On Demand Audit
Release Notes
Updated: January 2025
These release notes provide information about Quest On Demand Audit deployments.
On Demand Audit provides extensive auditing of critical activities and detailed reports about vital changes taking place in Office 365 Exchange Online, SharePoint Online, and OneDrive for Business. Continually being in-the-know helps you to prove compliance, drive security, and improve up time while proactively auditing changes to configurations and permissions.
Integrating with Change Auditor, provides a single view of activity across hybrid Microsoft environments and turns on-premise events into rich visualizations to investigate incidents faster. Events sent to On Demand Audit include historical events gathered up to 30 days prior to upgrade to Change Auditor 7.0.0 (or higher).
On Demand Audit audits:
- When Exchange Online mailboxes are created, deleted, and accessed.
- Permission changes to see which users are granted access to a mailbox.
- Mailbox activity by non-owner such as messages sent, read, deleted, and folders deleted
- Mailbox activity by owner for sensitive and high value mailboxes.
- When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.
- When user and group attributes are changed.
- When users and groups are added to and removed from the directory.
- Successful and failed logins.
- Suspicious sign-in activity.
- Teams user and administrator activity.
New features
Deprecated features
The ability to sign in with a Quest account has been deprecated. On June 4th, 2024, authentication to On Demand will only be available through Microsoft Identities. You can, however, move to Microsoft Identity now by selecting to Sign in with Microsoft from the On Demand landing page.
Authenticating through Microsoft Entra ID provides more native granular control and allows you to manage your configuration from a central location. This change allows for advanced security layers that you can configure from your own conditional access policies.
Release History
The following lists the new features and resolved issues by deployment.
Current Deployment
January, 2025
| Enhancement |
ID |
|
Ability to see "AD Replicating Directory Changes All domain permission granted" as critical activity in the dashboard. |
516231 |
| SG Privileged Entra ID objects uncertified in the past 30 day built in search |
531871 |
Previous Deployments
December, 2024
| Enhancement |
ID |
|
Additional Security Guardian search:
|
482249 |
Nov, 2024
| Enhancement |
ID |
|
Additional Active Directory searches:
-
All attempts to modify protected Active Directory objects in the past 60 days
-
All attempts to edit protected group policies in the past 60 days
-
All attempts to modify protected Active Directory databases in the past 60 days
-
All attempts to access protected Windows file system objects in the past 60 days
-
Group Policy all changes to scheduled task section in the last 60 days |
504431/518747 |
| Enhancement |
ID |
| Alert plans have been renamed to Notification Templates and are managed by selecting Settings | Notification and selecting the appropriate module. |
455698 |
| Ability to see "AD suspicious group ESX Admins created or member added" as critical activity in the dashboard. |
506418 |
|
|
495508 |
July 18, 2024
| Enhancement |
ID |
| Public and back end searches updated to match new nomenclature and changed fields. |
486395 |
| Ability to edit the layout for the Quick Search to visualize search results. |
463279 |
February 29, 2024
| Enhancement |
ID |
| Security Guardian built in searches. |
447542 |
|
BloodHound Enterprise alert plan renamed to Tier Zero alert plan. |
472122 |
January 24, 2023
| Enhancement |
ID |
|
Visualization added to the layout when an anomaly detection data point is selected in the critical activity tile. |
386638 |
| Enhancement |
ID |
| Ability to configure the integration with SpecterOps BloodHound Enterprise. |
372735 |
| Ability to remove a SpecterOps BloodHound Enterprise configuration. |
376219 |
| Ability to see the SpecterOps BloodHound Enterprise configuration status. |
364550 |
| Ability to monitor the SpecterOps BloodHound Enterprise integration through the dashboard's Audit Health tile. |
364551 |
| Ability to edit a SpecterOps BloodHound Enterprise configuration. |
364546 |
|
364558 |
| SpecterOps BloodHound Enterprise alert plan that includes all the BloodHound Tier Zero assets searches. |
374898 |
| Audit Health item was added to remind users to subscribe to the SpecterOps BloodHound Enterprise alert plan. |
378695 |
|
|
|
374896 |
| Enhancement |
ID |
| Change Auditor event names are displayed for Security Change Detail events. |
67331 |
| On premises file and folder attribute change events are split into attribute added and attribute removed events |
364277 |
|
364579 |
| Correlated Activity search filters provide the pre defined values of "Yes" and "No" |
368654 |
| Enhancement |
ID |
|
363604 |
| Ability to see File System Logon Id detail for Windows file system events. |
360573 |
| File System built in searches for Windows, EMC, and NetApp events. |
359522 |
| NetApp and EMC folder and file "Permission changed" and "Inherited permissions changed" events are now displayed as a single "Permissions Updated" event. |
358345 |
| File retention of 30 days for all File System events. |
177922 |
|
365728 |
| Enhancement |
ID |
| Identify critical activity relating to Active Directory Database access. |
362643 |
| Ability to audit Active Directory Database events to monitor the Active Directory database (NTDS.dit) file for possible unauthorized access attempts. This includes a new built in search (AD DB all events in the past 7 days) and the ability to filter searches on the Active Directory Database service. |
362642 |
| Enhancement |
ID |
| The Apply button on the Edit Layout flyout has been updated to Preview to reflect the actual function. |
350662 |
| File System added to the Top Active Users on the dashboard. |
361676 |
| Enhancement |
ID |
| Support for GCC tenants for organizations in the US region. |
350974 |
| Ability to select a donut chart for the search results visualization. |
320192 |
| Ability to select a bar chart for the search results visualization. |
328121 |
| Enhancement |
ID |
| Ability to audit adminCount attribute changed events. |
328327 |
|
328325 |
| Administrative privilege elevation detected activity added to the critical activity tile on the dashboard. |
328328 |
| Potential SIDHistory injection detected activity added to the critical activity tile on the dashboard. |
|
| Domain level group policy linked changes added to the critical activity tile on the dashboard. |
328320 |
| Irregular domain controller registration detected (DCShadow) activity added to the critical activity tile on the dashboard. |
328324 |
| Ability to audit AD irregular domain controller registration events. |
328323 |
| Legend added to the donut chart that displays critical activity. |
280484 |
| Ability to audit Group Policy domain level linked change. |
328322 |
| AD user ServicePrincipalName attribute changes detected event added to the Critical Activity dashboard. |
315396 |
| Provisioning status check. |
291656 |
| Provisioning status check for a Change Auditor integration. |
291657 |
| Enhancement |
ID |
| AD User ServicePrincipalName attribute changes in the past 30 days built in search |
315203 |
| Ability to select a time series chart for the search results visualization. |
318039 |
| Enhancement |
ID |
| Ability to subscribe to Anomaly Activity and Audit Health alert plans directly from the Audit Health tile in the dashboard. |
302112 |
| Ability to easily preview and customize the columns that display in generated reports. |
302838 |
| Enhancement |
ID |
|
281274 |
|
282927 |
| Enhancement |
ID |
| Built in Audit Health and Anomaly Activity alerts plans and associated built in alerts for all searches within the Audit Health and Anomaly Activity categories. |
289369 |
| Enhancement |
ID |
| Ability to audit Change Auditor connection interrupted and Change Auditor connection resumed events. |
280847 |
|
281046 |
|
261904 |
| Enhancement |
ID |
|
278731 |
|
280820 |
