Chat now with support
Chat mit Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Office 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Configuring tenant auditing

You need to configure tenant auditing by selecting the services to audit. You can select to audit:

  • All service
  • Audit Azure Active Directory - Audit Logs
  • Azure Active Directory - Sign-ins. (Azure Active Directory - Sign-ins includes risk events.)
  • Exchange Online - Administrative activity
  • Exchange Online - Mailbox activity
  • OneDrive for Business
  • SharePoint Online
  • Teams

Once selected, the Audit homepage card displays the audited services with the number of events in the last hour.

NOTE: You may need to turn on Microsoft 365 audit logging. For more information, see Microsoft documentation.

NOTE: You need to enable auditing of Office 365 mailboxes to audit Exchange Online. For more information, see Microsoft documentation.

NOTE: You can audit multiple tenants, and each can have a distinct auditing configuration.

If a tenant is added to multiple On Demand organizations, the tenant auditing configuration is unique for each organization and events are collected and stored for each organization.

To configure auditing

  1. Log in to On Demand, and select Audit module.

  2. Open the Configuration tab.

  3. Select the services to audit for your tenant.

  4. Click Save.

The configuration is added to Azure and events will be collected for the selected services. The configuration is checked every 5 minutes to see which activities to add to the database.
 

NOTE: If a service is disabled or consent is revoked, events collection stops. If auditing is re-enabled, events are collected from the last collected event (or last available event).

 

 

Historical event collection

Historical event collection is dependent on the type of license that you are using:

NOTE: If you are currently auditing Office 365 services, any additional Office 365 service added at a later date will not have historical events gathered.

  • For a trial license Azure Active Directory, Office 365, and Change Auditor historical event collection is restricted to the 24 hours before the service is added.
  • When you change to a paid subscription, historical event collection is based on when the Office 365 and Azure Active Directory service is first enabled or the Change Auditor integration is configured.
    • Historical events are not collected for services that were enabled during a trial subscription.
    • Historical events are collected for services that were not enabled during the trial subscription period.
    • If you disable a service during a trial period, change to a paid subscription, and enable the service again historical events will not be collected

See the following table for historical event collection details:

Service Changing from a trial license to a paid subscription

Office 365

  • Exchange Admin activity
  • Mailbox activity
  • Sharepoint Online
  • OneDrive for Business
  • Teams

For services that were not enabled with a trial license, historical events are collected for past 7 days.

Azure Active Directory

  • Audit Logs
  • Sign-ins (and risk events)

For services that were not enabled with a trial license, historical events are collected for either 7 or 30 past days, depending on the Azure Active Directory report retention policies.

Change Auditor

  • Active Directory
  • Group Policy
  • Logon Activity
  • File System Activity

For services that were not enabled with a trial license, historical events are collected up to 30 days prior to upgrade to Change Auditor 7.0.0 (or higher).

Adding a user to an organization

If you are the On Demand administrator or the owner of the On Demand Audit subscription, you can add users to an existing organization so they can access the audit data. If you are not the subscription owner or administrator, contact your On Demand administrator for access.

When you add a user to an organization, you also assign one or more roles. The role assignment determines what permission level a user has and ultimately, what tasks the user can perform. Assigning roles and setting user permissions is referred to as access control. See On Demand Audit Access Control roles.

To add a user to an organization

  1. Log in to On Demand, and select the required organization.
  2. Select Access Control | Users.
  3. Under User Name, enter the user's email address.
  4. Under Assigned Role, select the required role.
  5. Click Add User.

On Demand Audit Access Control roles

Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform . Your Quest On Demand organization comes configured with a number of default roles. The default role permissions settings cannot be changed, but you can create custom roles with specific permission settings to align with your company policies. For more information, see Adding users to an organization in the On Demand Global Settings User Guide.

The following default roles are available to help you manage your security and compliance auditing with On Demand Audit:

  • Audit Administrator role allows full access to On Demand Audit.
  • Audit Operator role allows users to manage searches and create alerts.
Role Permission Details
On Demand Administrator (Audit)
  • Can Manage Azure AD Tenant Configurations for Audit (View and modify the Office 365 and Azure Active Directory tenant configuration for On Demand Audit.)
  • Can Manage Change Auditor Installation Configuration (View and modify the configuration for Change Auditor installations that are connected to the organization. This includes adding and removing installations in the organization.)

  • Can Manage Organization Private Alerts and Private Alert Plans (Can view and control all private alerts and private alert plans organization-wide.)

  • Can manage private alerts and alert plans (Can view and define their own private alerts and alert plans.)

    Can manage shared alerts and shared alert plans (Can view and define their own shared alerts and alert plans.)

  • Can manage private searches ( Create and modify private searches and manage search categories.)
  • Can manage shared alerts and shared alert plans (Can view and define their own shared alerts and alert plans.)
  • Can manage shared searches (Can create and modify shared searches.)
  • Can run private searches (Run and preview searches.)
  • Can run quick search searches (Run quick searches against all data.)
  • Can run shared searches (Run and preview shared searches.)
  • Can view dashboard (View the shared dashboard for the organization.)
  • Can view event details (Allows the viewing of all event details.)
  • Can view event retention settings (View the settings for event retention.)
  • Can view shared searches (View the list of shared searches including the definition.)
Audit Administrator
  • Can Manage Azure AD Tenant Configurations for Audit (View and modify the Office 365 and Azure Active Directory tenant configuration for On Demand Audit.)
  • Can Manage Change Auditor Installation Configuration (View and modify the configuration for Change Auditor installations that are connected to the organization. This includes adding and removing installations in the organization.)
  • Can manage private alerts and alert plans (Can view and define their own private alerts and alert plans.)
  • Can manage private searches ( Create and modify private searches and manage search categories.)
  • Can manage shared alerts and shared alert plans (Can view and define their own shared alerts and alert plans.)
  • Can manage shared searches (Can create and modify shared searches.)
  • Can export search results (Can export search results to a csv or csv.zip file.)
  • Can run private searches (Run and preview searches.)
  • Can run shared searches (Run and preview shared searches.)
  • Can run quick search searches (Run quick searches against all data.)
  • Can view dashboard (View the shared dashboard for the organization.)
  • Can view event retention settings (View the settings for event retention.)
  • Can view shared searches (View the list of shared searches including the definition.)
  • Can view event details (Allows the viewing of all event details.)
Audit Operator
  • Can manage private alerts and alert plans (Can view and define their own private alerts and alert plans.)
  • Can export search results (Can export search results to a csv or csv.zip file.)
  • Can manage private searches ( Create and modify private searches and manage search categories.)
  • Can run private searches (Run and preview searches.)
  • Can run shared searches (Run and preview shared searches.)
  • Can view dashboard (View the shared dashboard for the organization.)
  • Can view event retention settings (View the settings for event retention.)
  • Can view shared searches (View the list of shared searches including the definition.)
  • Can run quick search searches (Run quick searches against all data.)
  • Can view event details (Allows the viewing of all event details.)
Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen