Chat now with support
Chat mit Support

On Demand Audit Current - Release Notes

Release Notes

Quest® Quest On Demand Audit

Release Notes

Last Updated September 2021

These release notes provide information about the Quest On Demand Audit release.

About this module

On Demand Audit provides extensive auditing of critical activities and detailed reports about vital changes taking place in Microsoft Office 365 Exchange Online, SharePoint Online, and OneDrive for Business. Continually being in-the-know helps you to prove compliance, drive security, and improve up time while proactively auditing changes to configurations and permissions.

Integrating with Change Auditor, provides a single view of activity across hybrid Microsoft environments and turns on-premise events into rich visualizations to investigate incidents faster. Events sent to On Demand Audit include historical events gathered up to 30 days prior to upgrade to Change Auditor 7.0.0 (or higher).

On Demand Audit audits:

  • When Exchange Online mailboxes are created, deleted, and accessed.
  • Permission changes to see which users are granted access to a mailbox.
  • Mailbox activity by non-owner such as messages sent, read, deleted, and folders deleted
  • Mailbox activity by owner for sensitive and high value mailboxes.
  • When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.
  • When user and group attributes are changed.
  • When users and groups are added to and removed from the directory.
  • Successful and failed logins. 
  • Suspicious sign-in activity.
  • Teams user and administrator activity.

New features

New features in On Demand Audit:

  • Anomaly detection added to the Critical Activity page to help identify unusual spikes in activity, that may indicate a threat to your organization. Including a visualization that details, baselines, anomalies, and total values for the following activity:

    • Unusual increase in AD account lockouts
    • Unusual increase in failed AD changes
    • Unusual increase in permission changes to AD objects
    • Unusual increase in tenant sign-in failures
    • Unusual increase in successful tenant sign-ins
    • Unusual increase in files shared from OneDrive and SharePoint
    • Unusual increase in Office 365 activity by guest users
    • Unusual increase in Office 365 activity by anonymous users
    • Unusual increase in Teams guest participants
  • Anomaly Activity search category that includes the following built in searches:
    • Unusual increase in tenant sign-in failure events in the past 30 days

    • Unusual increase in AD account lockout events in the past 30 days

    • Unusual increase in successful tenant sign-in events in the past 30 days

    • Unusual increase in failed AD change events in the past 30 days

    • Unusual increase in permission changes to AD object events in the past 30 days

    • Unusual increase in files shared from OneDrive and SharePoint events in the past 30 days

    • Unusual increase in Office 365 activity by guest user events in the past 30 days

    • Unusual increase in Office 365 activity by anonymous user events in the past 30

    • Unusual increase in Teams guest participant events in the past 30 days

    • All anomaly detected events in past 30 days

  • Ability to audit Change Auditor installation setting changes (Change Auditor Installation is paused, Change Auditor Installation is resumed, Change Auditor Installation was removed).
  • Additional search filter: Installation Name.
  • Critical Activity page that displays a full list of security-related activity that may be a threat to your organization. This includes tailored visualizations and metrics to provide more context about the activity and related search and a high-level overview of the item.
  • An alert plan cannot be removed until all alerts linked to it are removed or reassigned.
  • Ability to audit Azure AD successful application consent events in the past 30 days.
  • Updates dashboard that provides the following information:
  • Indicators that allow you to quickly see if there has been a change in risky activity over a specific period of time.
  • My Favorite Searches that displays your selected top 5 searches.
  • Critical Activity that highlights security-related activity that may pose a threat to your organization and require further investigation.
  • Top Active Users in the last 24 hours with each service represented by a different color bar.
  • On-premises and Azure Active Directory sign-in trends over the last 7 days.
  • Ability to see at a glance all the alerts assigned to a particular alert plan.
  • Ability to audit AD inheritance settings changed events in the past 30 days.

  • Ability to audit irregular domain replication activity:
    • Irregular AD replication activity detected alert added to the critical activity tile on the dashboard.

    • AD Irregular domain replication detected events in the past 30 days built in search.

  • Active Directory Federation Service enhancements:

    • AD FS All claims provider trust events in the past 30 days built-in search.

    • AD FS All endpoint events in the past 30 days built in search.
    • AD FS All relying party trust events in the past 30 days built in search.
    • AD FS All authentication method changes in the past 30 days

    • AD FS All server farm events in the past 30 days
    • AD FS Authentication method registered and unregistered events in the past 30 days

    • Active Directory Federation Services sign-ins built in searches.
    • Active Directory Federation Services search category for sign-ins and configuration changes made through Active Directory Federation Services.
  • Additional search filters: RelyingPartyTrustName, RelyingPartyType, RelyingPartyResource, AuthenticationMethod, AuthenticationMethod, AccessControlPolicy, AutoUpdateFromFederationMetadata, BrowserAuthenticationURL, Enabled, Identifiers, MonitorFederationMetadata, Alert Rule Name, Alert Rule Type, Search Type, Alert Plan Name, Alert Plan Type, Creator, Category Name, Category Type, Search Name, Search Type, Url Path, Server Farm Name, Server Farm Node Name, Max Behavior Level, Server Farm Node Type.
  • Additional On Demand Audit built in searches:
    • All On Demand Audit configuration events in the past 30 days
    • On Demand Audit alert plan management events in the past 30 days
    • On Demand Audit alert rule management events in the past 30 days
    • On Demand Audit all shared search and shared category events in the past 30 days
  • Additional internal events are gathered:
    • Alert Plan Created
    • Alert Plan Renamed
    • Alert Rule Created
    • Alert Rule Enabled

    • Alert Rule Disabled

    • Backing Search for Alert Rule Renamed

    • Backing Search for Alert Rule Updated

    • Alert Plan Added to Alert Rule

    • Alert Plan Removed from Alert Rule

    • Search Created

    • Search Deleted

    • Search Renamed

    • Search Updated

    • Search Category Changed

    • Search Ran

    • Category Created

    • Category Deleted

    • Category Renamed

  • Addition of an information icon that allows you to see when shared searches, alerts, and alert plans were created, last saved, and by whom.
  • Ability to create private and shared categories for searches.
  • Ability to create alerts for both private and shared searches.
  • Ability to create both private and shared alert plans.
  • Updated and new access roles for private and shared searches and alert plans.
  • All Private Searches category.
  • Updated workflow for saving searches. By default, the new search are created in the category selected when clicking New Search.
  • MailItemsAccessed events gathered when the Exchange Online - Mailbox Activity service is configured for auditing. The event and its details (Operation Count and the Folder Item found under Source Folders) provide an auditing trail to help understand which emails may have been compromised during a security breach. Note: A Microsoft 365 E5 license is required to audit this activity.
  • Ability to export search results to a csv or csv.zip file.
  • Can Export Search Results permission for Audit Administrators and Audit Operators.
  • Ability to audit Teams user and administrator activity such as when teams (and associated settings, members, and applications) are created, updated, removed and when users sign in.
  • New Teams searches:
    • Teams app events in the past 7 days

    • Teams bot events in the past 7 days

    • Teams channel events in the past 7 days

    • Teams client configuration changes in the past 30 days

    • Teams connector events in the past 7 days

    • Teams events in the past 7 days

    • Teams guest access configuration changes in the past 30 days

    • Teams guest access enabled or disabled in the past 30 days

    • Teams guest members added in the past 7 days

    • Teams member role changes in the past 7 days

    • Teams member changes in the past 7 days

    • Teams notification and feeds policy changes in the past 30 days

    • Teams organization setting changes in the past 30 days

    • Teams tab events in the past 7 days

    • Teams targeting policy changes in the past 30 days

    • Teams team created events in the past 30 days

    • Teams team deleted events in the past 30 days

    • Teams team setting changes in the past 7 days

    • Teams user sign-in events in the past 7 days

  • Additional search columns and filters available for Teams auditing: Add On GUID, Add on Name, Add on Type, Cmdlet Name, Team GUID, Team Name, Team Property Name, Team Role
  • Australia, Canada, and UK regions available to host your On Demand Audit data.
  • Additional search columns and filters available for logon activity: Logon Activity all excessive Kerberos ticket lifetime events in the past 30 days, Logon Activity all NTLM authentication failures in the past 24 hours, Logon Activity all NTLM authentications in the past 24 hours, Logon Activity all NTLM version 1 logons in the past 7 days.
  • Additional logon activity searches;
    • Logon Activity all excessive Kerberos ticket lifetime events in the past 30 days
    • Logon Activity all NTLM authentication failures in the past 24 hours
    • Logon Activity all NTLM authentications in the past 24 hours
    • Logon Activity all NTLM version 1 logons in the past 7 days
  • Ability to audit logon activity.
  • Additional search columns and filters available for risk events: Activity Time, Detection Timing, Request Id, Risk Activity, Risk Detected Time, Risk State, Risk Type, Risk Correlation Id, Risk Detail, Risk Source, Token Issuer, Previous User Agent.
  • Property After Value, Property Before Value, and Property Name available in the search details for Azure Active Directory, Active Directory, and Group Policy searches.
  • Property After Value, Property Before Value, and Property Name filters available for Azure Active Directory, Active Directory, and Group Policy searches.
  • Permission enforcement using additional Audit Operator role to help you manage your security and compliance auditing.

 

Release History

Current release

2021/9/14

Enhancements
Enhancement ID

Anomaly detection to help identify unusual spikes in activity, that may indicate a threat to your organization. Including a visualization that details, baselines, anomalies, and total values for the following activity:

  • Unusual increase in AD account lockouts
  • Unusual increase in failed AD changes
  • Unusual increase in permission changes to AD objects
  • Unusual increase in tenant sign-in failures
  • Unusual increase in successful tenant sign-ins
  • Unusual increase in files shared from OneDrive and SharePoint
  • Unusual increase in Office 365 activity by guest users
  • Unusual increase in Office 365 activity by anonymous users
  • Unusual increase in Teams guest participants
261904

Additional built in searches under the Anomaly Activity category: 

  • Unusual increase in tenant sign-in failure events in the past 30 days
  • Unusual increase in AD account lockout events in the past 30 days
  • Unusual increase in successful tenant sign-in events in the past 30 days
  • Unusual increase in failed AD change events in the past 30 days
  • Unusual increase in permission changes to AD object events in the past 30 days
  • Unusual increase in files shared from OneDrive and SharePoint events in the past 30 days
  • Unusual increase in Office 365 activity by guest user events in the past 30 days
  • Unusual increase in Office 365 activity by anonymous user events in the past 30
  • Unusual increase in Teams guest participant events in the past 30 days
  • All anomaly detected events in past 30 days
280820

Previous releases

2021/8/31

Enhancements
Enhancement ID

Ability to audit Change Auditor installation setting changes (Change Auditor Installation is paused, Change Auditor Installation is resumed, Change Auditor Installation was removed).

Additional search filter:

  • Installation Name
278719

2021/8/24

Enhancements
Enhancement ID
An alert plan cannot be removed until all alerts linked to it are removed or reassigned. 241156

2021/8/10

Enhancements
Enhancement ID
Full page critical activity pie chart flyout that display information by percentage of user, target, or activity. 257083
Ability to hide, unhide and dismiss items in the critical activity page. 257084
Filtering support for critical activity item list. 264660
AD all inheritance settings changed events in the past 30 days built in report. 256843

Irregular AD replication activity detected alert added to the critical activity tile on the dashboard.

AD Irregular domain replication detected events in the past 30 days built in search.

257279
Azure AD successful application consent events in the past 30 days built in report. 265009

2021/7/06

Enhancements
Enhancement ID
Ability to see the alerts associated with each alert plan. 262139

Audit health tile in the dashboard that allows you to see the status of your auditing configuration, identify any issues, and make the required updates to ensure you are keeping informed of the vital and critical changes to your organization.

253362
Manage Organization Private Alerts and Private Alert Plans role that allows users to view and control all private alerts and private alert plans organization-wide. 260250

2021/6/15

Enhancements
Enhancement ID
Ability to view the top active users in the last 24 hours in the dashboard. 246968

Active Directory irregular domain replication detected alert added to the critical activity tile on the dashboard.

AD all irregular domain replication detected events in the past 30 days built in search.

257279

Active Directory Federation Services server farm event auditing:

  • AD FS All server farm events in the past 30 days search.

  • Active Directory Federation Services - Server Farm added as a pre-defined value under activity category

  • Server Farm Name, Server Farm Node Name, Max Behavior Level, Server Farm Node Type added as a search filter.

256578

Active Directory Federation Services endpoint event auditing: 

  • AD FS All Endpoint events in the past 30 days search.
  • Active Directory Federation Services - Endpoints added as a pre-defined value under activity category.
  • Url Path added as a search filter.
238938

Active Directory Federation Services claims provider trust event auditing:

  • AD FS All claims provider trust events in the past 30 days built-in search.
  • Active Directory Federation Services - Claims Provider Trusts added as a pre-defined value under activity category.
248748

Active Directory Federation Services sign-ins built-in searches:

  • AD FS All Active Directory Federation Services sign-ins in the past 24 hours

  • AD FS All Failed Active Directory Federation Services sign-ins in the past 7 days

  • AD FS All Successful Active Directory Federation Services sign-ins in the past 24 hours

235518
  • Additional Active Directory Federation Services search category.
  • Additional search filters: RelyingPartyTrustName, RelyingPartyType, RelyingPartyResource, AuthenticationMethod, AccessControlPolicy, AutoUpdateFromFederationMetadata, BrowserAuthenticationURL, Enabled, Identifiers, and MonitorFederationMetadata.
  • AD FS All relying party trust events in the past 30 days built in search.

235517

235522

Active Directory Federation Services Authentication method event auditing:

  • AD FS All authentication method changes in the past 30 days search.
  • AD FS Authentication method registered and unregistered events in the past 30 days search.
  • Activity Category = Active Directory Federation Services - Authentication Methods added as a search filter.
235521

2021/6/01

Enhancements
Enhancement ID
Dashboard indicators at that allow you to quickly see if there has been a change in risky activity over a specific period of time. 245512

2021/5/11

Enhancements
Enhancement ID
All On Demand Audit configuration changes in the past 30 days built in search and Audit Configuration added as an available Activity Category value. 253358
Ability to view sign-in trends on the dashboard. 245863
Ability to view critical activity on the dashboard 247766
Ability to view favorite searches on the dashboard. 238722

 

2021/2/23

Enhancements
Enhancement ID
Search and category management internal events, search filters, and built in search. 229658

2021/2/16

Enhancements
Enhancement ID
Alert plan management internal events, search filters, and built in search. 226736
Alert rule management internal events, search filters, and built in search. 226733

2021/1/26

Enhancements
Enhancement ID
Addition of an information icon that allows you to see when shared searches, alerts, and alert plans were created, last saved, and by whom. 234730

2021/1/5

Enhancements
Enhancement ID
Ability to create private and shared categories for searches. 214658
Ability to create both private and shared searches. 214859
Ability to create alerts for both private and shared searches. 215122
Ability to create both private and shared alert plans. 214669
Updated and new access roles for private and shared searches and alert plans. 215128

 

2020/12/08

Enhancements
Enhancement ID

All Private Searches category that lists all private searches.

214642
Ability to enable private alerts for searches. 215122

2020/10/20

Enhancements
Enhancement ID

Updated workflow when saving searches. By default, new searches are created in the category selected when clicking New Search.

214640

2020/10/09

Enhancements
Enhancement ID

Ability to export searches to a csv or csv.zip file

203805
Can Export Search Results permission available for Audit Administrators and Audit Operator roles. 198485

2020/10/05

Enhancements
Enhancement ID

Ability to see MailItemsAccessed events when monitoring the Exchange Online - Mailbox Activity service is enabled. The event details includes Operation Count and the Folder Item (under Source Folders) information.

Note: A Microsoft 365 E5 license is required to audit this activity.

213364

2020/07/21

Enhancements
Enhancement ID

Ability to audit Teams user and administrator activity and access Teams built in searches.

206295

2020/06/23

Enhancements
Enhancement ID

Australia, Canada, and UK regions available to host your On Demand Audit data.

199987

2020/06/02

Enhancements
Enhancement ID

Additonal logon activity searches;

  • Logon Activity all excessive Kerberos ticket lifetime events in the past 30 days
  • Logon Activity all NTLM authentication failures in the past 24 hours
  • Logon Activity all NTLM authentications in the past 24 hours
  • Logon Activity all NTLM version 1 logons in the past 7 days
192548

Additional filters (and values) for logon activity searches:

  • Authentication Protocol (NTLM)
  • Authentication Protocol Version (V1, V2)
  • NTLM Impersonation Level (Default, Anonymous, Identify, Impersonate, Delegate)
  • NTLM Key Length
  • Kerberos Ticket Lifetime (Hours)
193574

 

Previous release

2020/05/12

Enhancements
Enhancement ID

Additional search columns and filters available for risk events:

  • Activity Time
  • Detection Timing
  • Request Id
  • Risk Activity
  • Risk Detected Time
  • Risk State
  • Risk Type
  • Risk Correlation Id
  • Risk Detail
  • Risk Source
  • Token Issuer
  • Previous User Agent.

188576

 

188295

 

 

Logon activity searches;

  • Logon Activity all authentication activity in the past 7 days
  • Logon Activity all failed logon activity in the past 7 days
  • Logon Activity all interactive logon activity in the past 24 hours
  • Logon Activity all Kerberos authentication activity in the past 24 hours
  • Logon Activity all logon activity in the past 24 hours
  • Logon Activity all logon session activity in the past 24 hours
  • Logon Activity all remote logon activity in the past 24 hours
193004

2020/04/21

Enhancements
Enhancement ID
Azure Active Directory, Active Directory, and Group Policy search summary displays the Property After Value, Property Before Value, and Property Name.

186138

191584

 

Property After Value, Property Before Value, and Property Name filters added for Azure Active Directory, Active Directory, and Group Policy searches.

190047

2020/04/14

Enhancements
Enhancement ID
Permission enforcement with additional Audit Operator role that allows users to manage searches and create alerts. 176138
Historical event collection is limited when using a trial license. 185662

2019/11/26

Enhancements
Enhancement ID

Ability to assign multiple alert plans to searches providing increased flexibility on alert notifications within your organization.

173062

Incident response management

Quest Operations and Quest Support have procedures in place to monitor the health of the system and ensure any degradation of the service is promptly identified and resolved. On Demand relies on Azure and AWS infrastructure and as such, is subject to the possible disruption of these services.You can view the following status pages:

Self-Service-Tools
Knowledge Base
Benachrichtigungen und Warnmeldungen
Produkt-Support
Software-Downloads
Technische Dokumentationen
Benutzerforen
Videoanleitungen
RSS Feed
Kontakt
Unterstützung bei der Lizenzierung
Technische Support
Alle anzeigen
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen