Identifying critical activity
The Critical Activity tile highlights security-related activity, including anomaly detection for unusual spikes in activity, that may indicate a threat to your organization and require further investigation.
|
Change Auditor / Logon Activity
|
-
Local logons to Tier Zero computers
-
NTLM version 1 logons
- Possible Golden Ticket Kerberos exploits
-
Potential kerberoasting or similar Kerberos attack detected
- Tier Zero user logons to computers that are not Tier Zero
- Unusual increase in AD account lockouts
-
Unusual increase in failed on-premises sign-ins
-
Unusual increase in successful on-premises sign-ins |
| Change Auditor / Active Directory |
-
Administrative privilege elevation detected
- AD user ServicePrincipalName attribute changes detected
-
AD Replicating Directory Changes All domain permission granted
-
AD security changes that can prevent object enumeration detected
-
AD suspicious group ESX Admins created or member added
- Active Directory critical group membership changes
- Active Directory schema configuration changes
- Active Directory forest configuration changes
- Active Directory security changes
-
Attempt to access protected Active Directory database detected
-
Attempt to access protected Windows file or folder detected
-
Attempt to edit protected group policy object detected
-
Attempt to modify protected Active Directory object detected
-
Domain level group policy linked changes detected
-
Group Policy changes to scheduled task section
- Irregular AD replication activity detected
- Irregular domain controller registration detected (DCShadow)
-
Potential sIDHistory injection detected
-
Security changes to Tier Zero computer objects
-
Security changes to Tier Zero domain objects
-
Security changes to Tier Zero group objects
-
Security changes to Tier Zero group policy objects
-
Security changes to Tier Zero user objects
-
Tier Zero computer changes
-
Tier Zero domain and forest configuration changes
-
Tier Zero group changes
-
Tier Zero group policy object changes
-
Tier Zero user changes
-
Unusual increase in failed AD changes
-
Unusual increase in permission changes to AD objects |
| Change Auditor / Active Directory Federation Services |
|
| Change Auditor / File System |
-
AD Database (NTDS.dit) access attempt detected
-
AD Database (NTDS.dit) file modification attempt detected
-
All file changes with suspicious file extensions
-
Unusual increase in share access permission changes
-
Unusual increase in failed file access attempts
-
Unusual increase in file deletes
-
Unusual increase in file renames |
| Change Auditor / Group Policy |
|
|
Microsoft Entra - Audit Logs |
-
Microsoft Entra Tier Zero application changes
-
Microsoft Entra Tier Zero group changes
-
Microsoft Entra Tier Zero role changes
-
Microsoft Entra Tier Zero service principal changes
-
Microsoft Entra Tier Zero tenant level and directory activity
-
Microsoft Entra Tier Zero user changes
- Microsoft Entra critical directory role changes
- Microsoft Entra tenant level configuration changes
- Microsoft Entra cloud-only users created
|
| Microsoft Entra - Sign Ins |
-
Microsoft Entra Tier Zero principal logons
-
Microsoft Entra Tier Zero AD risk events
-
Unusual increase in tenant sign-in failures
- Unusual increase in successful tenant sign-ins
|
| Exchange Online - Administrative Activity |
- OneDrive and SharePoint files shared with external users
- OneDrive and SharePoint anonymous links
- Microsoft 365 activity from external users
|
| Sharepoint Online or OneDrive For Business |
-
Unusual increase in files shared from OneDrive and SharePoint
-
Unusual increase in Microsoft 365 activity by guest users
-
Unusual increase in Microsoft 365 activity by anonymous users |
| Microsoft Teams |
|
You can easily dive deeper into the activity by viewing the associated search. For details on the searches associated with the critical activity see Working with searches, Working with Microsoft Entra Searches and Using built in searches.
To view a full list of critical activity as well as visualizations to help understand the possible threat, see Working with critical activity.
Identifying the top active users
The Top Active Users tile displays the top five active users in the last 24 hours with each service represented by a different color bar. By default, data for all available services is displayed.
To view the exact number of events per service for a particular user, hover over a section of the bar. To dive deeper into the activity details, click the section of the bar that represents the service of interest.
|
|
NOTE Other than Audit activity, which will always be included, the activity that is gathered and displayed is based on the services that you have selected to audit.
See Configuring tenant auditing for details on selecting services to audit and Change Auditor Integration for details on accessing on premises events. |
|
Change Auditor |
- Active Directory
- Active Directory Federation Services (Change Auditor version 7.1.2 or later)
- Active Directory Database
-
Group Policy
- Logon Activity
|
|
OneDrive for Business |
|
|
SharePoint Online |
|
| Micorosft Teams |
|
|
Microsoft Entra - Audit Logs
Microsoft Entra - Sign-ins |
|
|
Exchange Online - Administrative Activity
Exchange Online - Mailbox Activity |
|
To view the top active users for a specific service
- Choose the required service from the dropdown list, and click Select.
- To exclude users from being included in the calculations and display, select the Edit Excluded Users and add and remove users as required.
- Click Close to save your selection.
Working with My Favorite Searches
The My Favorite Searches section of the dashboard allows you to pin the top five searches that you have defined as having a high value in your organization. From here you can see the number of events, select to view the search details, and manage which searches to displayed in this view.
By default, the following searches are listed:
- Important changes for critical Microsoft Entra directory roles in the past 7 days
- Microsoft Entra role member changes in the past 7 days
- Cloud-only Microsoft Entra users created in the past 180 days
- Microsoft Entra tenant level configuration changes in the last 180 days
- Microsoft 365 events from EXT Users in the past 7 days
To manage the searches displayed on the dashboard:
- From My Favorite Searches, click Edit Searches.
- Add and remove searches as required by selecting the category and associated search. You can also drag and drop to specify the search order on the dashboard based on priority.
- Once you have made all your selections, click OK.
Monitoring sign-in trends
The Sign-ins tile allows you to quickly see the successful and failed sign-ins over the last 7 days. You can select monitor trends for all sign-ins or select only those that you are interested in.
To add and remove the types of sign-in trends displayed:
- Expand the drop-down list and choose the type of sign-ins to display.
- Select to show all or successful or failed Microsoft Entra sign-ins, Active Directory authentications, Active Directory Federation Services sign-ins, and Windows interactive logons.
If you have selected to show "All" sign-in types, any services added at a later date will automatically be selected and displayed in the dashboard.
|
Change Auditor / Logon Activity
|
- Active Directory authentications - Successful events
- Active Directory authentications - Failed events
- Windows interactive logons - Successful events
- Windows interactive logons - Failed events
|
| Change Auditor / Active Directory Federation Services |
|
|
Microsoft Entra - Sign-in |
- Microsoft Entra sign-ins - Successful events
- Microsoft Entra sign-ins - Failed events
|
