Security Guardian Current - User Guide

Audit provides the following Active Directory Database built in search:

• AD DB all events in the past 7 days

Audit provides the following anomaly activity built in searches:

• All anomaly detected events in the past 30 days
• Unusual increase in AD account lockout events in the past 30 days
• Unusual increase in failed AD change events in the past 30 days
• Unusual increase in failed AD Federation Services sign-ins in the past 30 days
• Unusual increase in failed file access attempts in the past 30 days
• Unusual increase in file deletes in the past 30 days
• Unusual increase in file renames in the past 30 days
• Unusual increase in files shared from OneDrive and SharePoint events in the past 30 days
• Unusual increase in Microsoft 365 activity by guest user events in the past 30 days
• Unusual increase in Microsoft 365 activity by anonymous user events in the past 30
• Unusual increase in permission changes to AD object events in the past 30 days
• Unusual increase in share access permission changes in the past 30 days
• Unusual increase in successful AD Federation Services sign-ins in the past 30 days
• Unusual increase in successful tenant sign-in events in the past 30 days
• Unusual increase in tenant sign-in failure events in the past 30 days
• Unusual increase in Teams guest participant events in the past 30 days
• Unusual increase in successful on-premises sign-ins in the past 30 days
• Unusual increase in failed on-premises sign-ins in the past 30 days

Audit provides the following Audit Health built in searches:

• Change Auditor Installation activity changes in the past 30 days
• Change Auditor Installation connectivity events in the past 30 days
• Change Auditor Installation setting changes in the past 30 days
• Change Auditor Installation upgrade events in the past 30 days
• Service activity changes in the past 30 days
• Service auditing enabled or disabled events in the past 30 days
• SpecterOps BloodHound Enterprise connectivity events in the past 30 days
• SpecterOps BloodHound Enterprise configuration changes in the past 30 days
• Subscription expiring events in the past 90 days

Audit provides the following Microsoft Entra built-in searches that are based on the most common and complex requests for information:

• Microsoft Entra application events in the past 7 days
• Microsoft Entra directory events in the past 7 days
• Microsoft Entra events in the past 7 days
• Microsoft Entra failed sign-in events in the past 7 days
• Microsoft Entra group events in the past 7 days
• Microsoft Entra group member changes in the past 7 days
• Microsoft Entra group owner changes in the past 7 days
• Microsoft Entra risk events in the past 7 days
• Microsoft Entra role events in the past 7 days
• Microsoft Entra role member changes in the past 7 days
• Microsoft Entra self-service password management events in the past 7 days
• Microsoft Entra sign-in events in the past 7 days
• Microsoft Entra successful sign-in events in the past 7 days
• Microsoft Entra tenant level configuration changes in the last 180 days
• Microsoft Entra user created events in the past 7 days
• Microsoft Entra user deleted events in the past 7 days
• Microsoft Entra user events in the past 7 days
• Important changes for critical Microsoft Entra directory roles in the past 7 days
• Objects added/removed from Microsoft Entra groups in the past 7 days
• Objects added/removed from Microsoft Entra roles in the past 7 days
• Users added/removed as owner of Microsoft Entra groups in the past 7 days