Chat now with support
Chat mit Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Working with categories

When you create a category, you have the option of selecting whether it will be private or shared.

  • Private categories are only visible to the individual who created them.
  • Shared categories are visible to all On Demand Audit users and allow for collaboration with multiple users from the same organization.

By default, the following categories are available:

  • All Private Searches: All private searches belonging to the signed-in user.
  • All Searches: All configured searches.
  • Active Directory: All Active Directory events in the last 24 hours, 7 days, and 30 days.
  • Active Directory Federation Services: Sign-ins and configuration changes made through Active Directory Federation Services.
  • All Events: All events in the last 24 hours and 7 days.
  • Azure Active Directory: Azure Active Directory application, directory, group, role, self-service password, user created, user deleted, and user events in the last 7 days.
  • Best Practices: Sharing operations on important file types and Teams guest access events.
  • Group Policy: Group Policy events.
  • Logon Activity: Logon activity events.
  • Office 365: Office 365 and SharePoint online events.
  • On Demand Audit: All On Demand audit and alert events.
  • Teams: Teams user and administrator activity events.
  • My searches: A built-in private category.

To create a category

NOTE:

  • Private category names must be unique among all categories for each user.

  • Shared category name must be unique among all shared searches in all categories in the organization.

  1. Under the Searches tab, click Add in the Categories field.
  2. Enter the category name.
  3. Select whether the category is private or shared.
  4. Click Add.

To assign a search to a new category

  1. Under the Searches tab, select the search.
  2. Click the pencil icon to modify the search.
  3. Drop down the Category field and select the required category.
  4. Click Save .

To edit the name of a category

  1. Under the Searches tab, select the category.
  2. Highlight the category, and click the pencil icon to the left of the category.
  3. Enter a new name for the category and click Save.

Working with alerts and alert plans

Alerts allow those responsible for the security of your environment to receive detailed information about vital changes and activities as they occur. The associated notification templates allow you to configure who will receive the alerts so that they can take the appropriate action to address the outlined risks to your environment.

From the Alerts tab you can:

  • View the number of alerts created in the last 24 hours for each search.
  • View the number of associated notification templates.
  • Enable, disable, and remove alerts.
  • Review searches that have alerts created for them.
  • Review the associated notification templates.
  • Select an information icon to see when shared alerts were created, last saved, and by whom.

Notification templates are managed through On Demand global settings. Select Settings | Notification to manage notification templates. From here you can:

  • View all the alerts associated with each notification template and the number of alerts it includes.

  • See whether the notification template is private (only visible to the individual who created it) or shared (visible to all On Demand Audit users allowing for collaboration with multiple users from the same organization).

  • See who added the notification template and when it was created.

  • Select an information icon to see when notification templates were created, last saved, and by whom.

  • Add, edit, and remove notification templates.

For details on working with notification templates, see Notifications in the On Demand Global Settings User Guide.

 

NOTE:

  • You can select to assign any number of notification templates to an alert.
  • When you create or modify a notification template, you have the option of selecting whether it will be private or shared.

  • When enabling or editing an alert for a private search, only private notification templates can be used or created.
  • When enabling or editing an alert for a shared search, only shared notification templates can be used or created.
  • A notification template cannot be removed until all alerts linked to it are removed or reassigned.

To create an alert and associate it with an existing notification template

  1. Under the Searches tab, select the search.
  2. Click Alert.
  3. Select an existing notification template, and click Save.
  4. Select View Template to review and manage the notification template settings.

To create an alert and associate it with a new notification template

  1. Under the Searches tab, select the search.
  2. Click Alert.
  3. Select Create new shared notification template, enter a name for it, and click Save.
  4. Click Edit to specify or modify the notification template recipients as needed.
  5. Enter the required email addresses and click Add Recipients as needed.
  6. From the Selected Recipents list select to Remove and Send Test Email as needed.
  7. Click Save.

To edit an alert

  1. Under the Alerts tab, select the required alert.
  2. Click Edit Alert to add and remove the notification template associate with the alert as required.
  3. Click Save.
  4. Select View Template to review and manage the notification template settings.

To remove an alert

  1. Under the Alerts tab, select Alerts.
  2. Select the required alert, and click the X icon to delete it.
  3. Click OK to confirm the deletion.

Using built in alerts and notification templates

On Demand Audit includes built in alerts and notification templates to ensure that you are kept up to date on critical activity within your organization. All searches within the Audit Health, Anomaly Activity, and Bloodhound Tier Zero assets categories are alert-enabled and linked to the associated built in notification templates.

NOTE:

  • You need to add yourself to receive notifications. For details on working with notification templates, see Notifications in the On Demand Global Settings User Guide.
  • Built in notification templates cannot be deleted; you can, however, enable and disable the alerts as required.

 

The following built in notification templates are available:

  • Audit Health
  • Anomaly Activity
  • Tier Zero

The following built in alerts are available and enabled:

  • All anomaly detected events in past 30 days

  • All Azure Tier Zero AD risk events in the past 60 days

  • All Azure Tier Zero application changes in the past 60 days

  • All Azure Tier Zero group changes in the past 60 days

  • All Azure Tier Zero principal logons in the past 60 days

  • All Azure Tier Zero role changes in the past 60 days

  • All Azure Tier Zero service principal changes in the past 60 days

  • All Azure Tier Zero tenant level and directory activity in the past 60 days

  • All Azure Tier Zero user changes in the past 60 days

  • All Tier Zero computer changes in the past 60 days

  • All Tier Zero domain and forest configuration changes in the past 60 days

  • All Tier Zero group changes in the past 60 days

  • All Tier Zero group policy item and object changes in the past 60 days

  • All Tier Zero user changes in the past 60 days

  • Local logons to Tier Zero computers in the past 60 days

  • Security changes to Tier Zero domain objects in the past 60 days

  • Security changes to Tier Zero group objects in the past 60 days

  • Security changes to Tier Zero group policy objects in the past 60 days

  • Security changes to Tier Zero computer objects in the past 60 days

  • Security changes to Tier Zero user objects in the past 60 days

  • Tier Zero user logons to computers that are not Tier Zero in the past 60 days

  • Change Auditor Installation connectivity events in the past 30 days

  • Change Auditor Installation setting changes in the past 30 days

  • Change Auditor Installation upgrade events in the past 30 days
  • Service activity changes in the past 30 days

  • Service auditing enabled or disabled events in the past 30 days

  • Subscription expiring events in the past 90 days
  • Unusual increase in tenant sign-in failure events in the past 30 days
  • Unusual increase in AD account lockout events in the past 30 days
  • Unusual increase in successful tenant sign-in events in the past 30 days
  • Unusual increase in failed AD change events in the past 30 days
  • Unusual increase in permission changes to AD object events in the past 30 days
  • Unusual increase in files shared from OneDrive and SharePoint events in the past 30 days
  • Unusual increase in Office 365 activity by guest user events in the past 30 days
  • Unusual increase in Office 365 activity by anonymous user events in the past 30
  • Unusual increase in Teams guest participant events in the past 30 days

 

Auditing Azure Active Directory

On Demand Audit simplifies the audit process by tracking, auditing, and reporting on activity that corresponds to the events in the Azure Active Directory audit logs, sign-in activity report, and risky sign-ins report.

NOTE: An Azure Active Directory Premium (P1) license or higher is required for On Demand Audit to audit sign-in and Azure Active Directory Premium (P2) license or higher to audit risky sign-in activity.

You can generate intelligent and in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.

For example, you can easily track and report on activities such as:

  • When users and groups are added to and removed from the directory.
  • When user and group attributes are changed.
  • Successful and failed logins.
  • Suspicious sign-in activity.
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen