Tchater maintenant avec le support
Tchattez avec un ingénieur du support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Audit
Configuring Audit Working with Audit
Using the Audit Dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Findings Tier Zero Objects Shields Up Protection (Prevention) Privileged Objects Managing Workload Identities Assessments Hybrid Audit Security Settings Appendix - Available Audit Search Columns and Filters Appendix - Security Guardian Indicator Details Appendix - Data Collection Details Documentation Roadmap

Granting required consent

Before you can audit Microsoft 365 and Microsoft Entra activity and generate searches, On Demand must be granted consent to audit the organization and its tenants.

NOTE: The Audit configuration page displays the status of the consent for the tenant:

  • Need to grant admin consent - when consent is not granted.
  • Admin consent granted - when consent is granted.

To grant the required consent:

  1. Log in to On Demand, and select Tenants | Office 365 Tenants.

  2. Click Edit Consents on the tenant

  3. In Audit | Basic, click the Grant Consent button. The Azure sign in page opens. If you are signed in as the Global administrator for the tenant, you can grant consent to the On Demand Audit application.

  4. Read through the required permissions and select Accept.

  5. Once this is complete, Entra ID and Microsoft 365 events are audited and can be searched in Security | Audit.

Configuring tenant auditing

Configure tenant auditing by choosing the services you want to monitor. You can audit the following:

  • All service
  • Audit Microsoft Entra - Audit Logs
  • Microsoft Entra - Sign-ins. (Microsoft Entra - Sign-ins includes risk events.)
  • Exchange Online - Administrative activity
  • Exchange Online - Mailbox activity
  • OneDrive for Business
  • SharePoint Online
  • Teams

Once selected, Audit displays the audited services with the number of events in the last hour.

NOTE: You may need to turn on Microsoft 365 audit logging. For more information, see Microsoft documentation.

NOTE: You need to enable auditing of Microsoft 365 mailboxes to audit Exchange Online. For more information, see Microsoft documentation.

NOTE: You can audit multiple tenants, and each can have a distinct auditing configuration.

If a tenant is added to multiple On Demand organizations, the tenant auditing configuration is unique for each organization and events are collected and stored for each organization.

To configure auditing

  1. Log in to On Demand, and select Security | Audit.

  2. Open the Configuration tab.

  3. Select the services to audit for your tenant.

  4. Click Save.

The configuration is added to Azure and events will be collected for the selected services. The configuration is checked every 5 minutes to see which activities to add to the database.
 

NOTE: If a service is disabled or consent is revoked, events collection stops. If auditing is re-enabled, events are collected from the last collected event (or last available event).

 

 

Historical event collection

Historical event collection is dependent on the type of license that you are using:

NOTE: If you are currently auditing Microsoft 365 services, any additional service added at a later date will not have historical events gathered.

  • For a trial license Microsoft Entra, Microsoft 365, and Change Auditor historical event collection is restricted to the 24 hours before the service is added.
  • When you change to a paid subscription, historical event collection is based on when the Microsoft 365 and Microsoft Entra service is first enabled or the Change Auditor integration is configured.
    • Historical events are not collected for services that were enabled during a trial subscription.
    • Historical events are collected for services that were not enabled during the trial subscription period.
    • If you disable a service during a trial period, change to a paid subscription, and enable the service again historical events will not be collected

See the following table for historical event collection details:

Service Changing from a trial license to a paid subscription

Microsoft 365

  • Exchange Admin activity
  • Mailbox activity
  • Sharepoint Online
  • OneDrive for Business
  • Teams

For services that were not enabled with a trial license, historical events are collected for past 7 days.

Microsoft Entra

  • Audit Logs
  • Sign-ins (and risk events)

For services that were not enabled with a trial license, historical events are collected for either 7 or 30 past days, depending on the Microsoft Entra report retention policies.

Change Auditor

  • Active Directory
  • Group Policy
  • Logon Activity
  • File System Activity

For services that were not enabled with a trial license, all historical events are collected. Any events collected prior to Change Auditor 7.0.0 will not be included.

Change Auditor Integration

Integrating with Change Auditor, provides a single view of activity across hybrid Microsoft environments and turns on-premise events into rich visualizations to investigate incidents faster. Events sent to On Demand include all events gathered in Change Auditor. (Any events collected prior to Change Auditor 7.0.0 will not be included.)

Availability of historical events is dependent on how long Change Auditor has been deployed in the environment.

To begin the integration, a connection between Change Auditor and your organization in On Demand is configured in Change Auditor. Once the connection is made, Change Auditor will begin to send events.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation