Chat now with support
Chat mit Support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Audit
Configuring Audit Working with Audit
Using the Audit Dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Findings Tier Zero Objects Shields Up Protection (Prevention) Privileged Objects Managing Workload Identities Assessments Hybrid Audit Security Settings Appendix - Available Audit Search Columns and Filters Appendix - Security Guardian Indicator Details Appendix - Data Collection Details Documentation Roadmap

Working with Microsoft Entra Searches

Numerous Microsoft Entra built in searches are available that allow you to locate and report on the Microsoft Entra data. If required, you can also easily create custom searches to locate specific information that is of interest to you.

There are numerous columns, filters, and pre-defined values that you can use to help you find the information you need to secure your environment.

See Creating a custom search and Appendix - Available Audit Search Columns and Filters for more details.

Microsoft Entra- specific columns

The following columns are available to display additional Microsoft Entra information:

Audit module Columns
Microsoft Entra - Audit Log
  • Microsoft Entra Activity Type
  • Microsoft Entra Activity Operation Type
  • Microsoft Entra Result Description
  • Microsoft Entra Category
Microsoft Entra Sign-ins
  • Error Code
  • Failure Reason
  • Location
Microsoft Entra Risky Sign-ins
  • RiskEventStatus
  • RiskEventId
  • RiskEventType
  • RiskLevel
  • RiskEventDateTime
  • PreviousCity (impossible travel risk events only)
  • PreviousState (impossible travel risk events only)
  • PreviousCountry (impossible travel risk events only)
  • PreviousSignInDateTime (impossible travel risk events only)
  • PreviousIpAddress (impossible travel risk events only)
  • PreviousLocation (impossible travel risk events only)
  • RiskEventDetails
  • MalwareName
  • isAtypicalLocation

Working with Microsoft Entra events with multiple targets

To help filter searches and fine tune the results, the following Microsoft Entra group membership, group ownership, and role membership activity has been split so that a single event is reported based on the target and subject

Group Membership Event Target Subject

Add member to group

Group being modified

User or group added to a group

Add group membership User or group added to a group Group being modified

Remove member from group

Group from which a user or group is removed

User or group being removed from a group
Remove group membership User or group being removed from a group Group from which the user or group is removed
Add owner to group Group that is modified User added as group owner
Group ownership assigned User added as group owner Group that is modified
Remove owner from group Group that is modified as a result of a removed owner User removed as group owner
Group ownership removed User removed as group owner Group that is modified as a result of a removed owner

 

Role Event Target Subject
Add member to role Role to which a user is added User added to the role
Role assignment added User added to a role Role to which a user is added
Remove member from role Role from which a user is removed User removed from a role
Role assignment removed User removed from a role. Role from which a user is removed
Add eligible member to role Role to which a user is added User added to a role
Role assignment added to eligible member User added to a role Role to which a user is added

Additional filters

You can, for example, create a search for all group membership events and see distinct events for both the group you are adding a user to and the user you are adding to the group. Using the target to filter your searches allows you to pinpoint the activity by specific users, and changes to critical groups and roles. See Appendix - Available Audit Search Columns and Filters for a complete list of available filters.

Auditing risk events

Audit captures both the risk event as well as when an administrator takes action on the detected risk.

IMPORTANT: To capture and view this information, ensure that you have enabled auditing of the Microsoft Entra - Audit Logs module.

This following information is listed in the Microsoft Entra risk event's activity.:

  • "New risk event detected" event when the Microsoft Entra Identity Protection portal creates a new risk event.
  • "Admin dismisses risk event", "Admin reactivates risk" event, and "Admin resolves risk" when the Microsoft audit logs creates an event for an administrator's actions.

Auditing Microsoft 365

Audit captures activity for Exchange Online, OneDrive for Business, Teams, and SharePoint Online that corresponds to the events in the Microsoft 365 Security & Compliance Center unified audit log.

You can easily track and identify important activities such as:

  • When Exchange Online mailboxes are created, deleted, and accessed.
  • Permission changes to see which users are granted access to a mailbox.
  • Mailbox activity by non-owner such as messages sent, read, deleted, and folders deleted
  • Mailbox activity by owner for sensitive and high value mailboxes.
  • When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.
  • Teams user and administrator activity such as when teams (and associated settings, members, and applications) are created, updated, removed and when users sign in.

For details on running the searches and creating custom searches based off the built in searches, see:

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen