Quest® Quest On Demand Audit
Quest® Quest On Demand Audit
Release Notes
February, 28 2024
These release notes provide information about Quest On Demand Audit deployments.
On Demand Audit provides extensive auditing of critical activities and detailed reports about vital changes taking place in Microsoft Office 365 Exchange Online, SharePoint Online, and OneDrive for Business. Continually being in-the-know helps you to prove compliance, drive security, and improve up time while proactively auditing changes to configurations and permissions.
Integrating with Change Auditor, provides a single view of activity across hybrid Microsoft environments and turns on-premise events into rich visualizations to investigate incidents faster. Events sent to On Demand Audit include historical events gathered up to 30 days prior to upgrade to Change Auditor 7.0.0 (or higher).
On Demand Audit audits:
- When Exchange Online mailboxes are created, deleted, and accessed.
- Permission changes to see which users are granted access to a mailbox.
- Mailbox activity by non-owner such as messages sent, read, deleted, and folders deleted
- Mailbox activity by owner for sensitive and high value mailboxes.
- When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.
- When user and group attributes are changed.
- When users and groups are added to and removed from the directory.
- Successful and failed logins.
- Suspicious sign-in activity.
- Teams user and administrator activity.
New features in this deployment:
Security Guardian built in search category with the following searches:
-
All Security Guardian events in the past 24 hours
-
All Security Guardian events in the past 7 days
-
SG Indicators of Compromise in the past 30 days
-
SG Indicators of Exposure in the past 30 days
-
SG Tier Zero objects added in the past 30 days
-
SG Tier Zero objects removed in the past 30 days
-
SG Tier Zero objects certified in the past 30 days
-
SG all indicators muted and unmuted in the past 30 days
-
SG all objects muted and unmuted in the past 30 days
-
SG all Tier Zero objects protected in the past 30 days
-
SG all AD DB objects protected in the past 30 days
The following lists the new features and resolved issues by deployment.
Current Deployment
February 29, 2024
| Enhancement |
ID |
| Security Guardian built in searches. |
447542 |
|
BloodHound Enterprise alert plan renamed to Tier Zero alert plan. |
472122 |
Previous Deployments
January 24, 2023
| Enhancement |
ID |
|
Visualization added to the layout when an anomaly detection data point is selected in the critical activity tile. |
386638 |
October 18, 2022
| Enhancement |
ID |
|
The following audit health issues 'Hide' action has been changed to 'Dismiss':
-
No connection in last 24 hours by Change Auditor installation
-
No Office 365 events in last 24 hours
-
No Azure AD events in last 24 hours
-
No Azure AD - Sign-in events in last 24 hours
-
No Change Auditor events in last 24 hours
-
No connection in last 24 hours by Change Auditor
-
SpecterOps BloodHound Enterprise connection failed |
375121 |
October 4, 2022
| Enhancement |
ID |
|
Ability to monitor when a Kerberos service ticket was created with unsafe encryption:
-
"Logon Activity all Kerberos service tickets created with unsafe encryption type in the past 30 days" built in search.
-
Kerberos service ticket created with unsafe encryption type identified as critical activity. |
382166 |
September 20,2022
| Enhancement |
ID |
| Ability to configure the integration with SpecterOps BloodHound Enterprise. |
372735 |
| Ability to remove a SpecterOps BloodHound Enterprise configuration. |
376219 |
| Ability to see the SpecterOps BloodHound Enterprise configuration status. |
364550 |
| Ability to monitor the SpecterOps BloodHound Enterprise integration through the dashboard's Audit Health tile. |
364551 |
| Ability to edit a SpecterOps BloodHound Enterprise configuration. |
364546 |
|
BloodHound Tier Zero assets search category.
Additional search filters:
-
User is Tier Zero
-
Target is Tier Zero
SpecterOps BloodHound Enterprise (BHE) built in searches:
-
All Azure Tier Zero AD risk events in the past 60 days
-
All Azure Tier Zero application changes in the past 60 days
-
All Azure Tier Zero group changes in the past 60 days
-
All Azure Tier Zero principal logons in the past 60 days
-
All Azure Tier Zero role changes in the past 60 days
-
All Azure Tier Zero service principal changes in the past 60 days
-
All Azure Tier Zero tenant level and directory activity in the past 60 days
-
All Azure Tier Zero user changes in the past 60 days
-
All Tier Zero computer changes in the past 60 days
-
All Tier Zero domain and forest configuration changes in the past 60 days
-
All Tier Zero group changes in the past 60 days
-
All Tier Zero group policy item and object changes in the past 60 days
-
All Tier Zero user changes in the past 60 days
-
Local logons to Tier Zero computers in the past 60 days
-
Security changes to Tier Zero domain objects in the past 60 days
-
Security changes to Tier Zero group policy objects in the past 60 days
-
Security changes to Tier Zero computer objects in the past 60 days
-
Security changes to Tier Zero group objects in the past 60 days
-
Security changes to Tier Zero user objects in the past 60 days
-
Tier Zero user logons to computers that are not Tier Zero in the past 60 days |
364558 |
| SpecterOps BloodHound Enterprise alert plan that includes all the BloodHound Tier Zero assets searches. |
374898 |
| Audit Health item was added to remind users to subscribe to the SpecterOps BloodHound Enterprise alert plan. |
378695 |
|
Once the configuration has been added, you can select the three vertical dots in the upper right-corner to refresh the configuration immediately, to edit the alert plan, or to read more about the benefits of integrating with SpecterOps BloodHound Enterprise. |
381418
372936
370832 |
|
SpecterOps BloodHound Enterprise activity added to the Critical Activity tile:
- Azure Tier Zero AD risk events
-
Azure Tier Zero application changes
-
Azure Tier Zero group changes
-
Azure Tier Zero principal logons
-
Azure Tier Zero role changes
-
Azure Tier Zero service principal changes
-
Azure Tier Zero tenant level and directory activity
-
Azure Tier Zero user changes
-
Local logons to Tier Zero computers
-
Security changes to Tier Zero computer objects
-
Security changes to Tier Zero domain objects
-
Security changes to Tier Zero group objects
-
Security changes to Tier Zero group policy objects
-
Security changes to Tier Zero user objects
-
Tier Zero computer changes
-
Tier Zero domain and forest configuration changes
-
Tier Zero group changes
-
Tier Zero group policy object changes
-
Tier Zero user changes
-
Tier Zero user logons to computers that are not Tier Zero |
374896 |
July 29, 2022
| Enhancement |
ID |
| Change Auditor event names are displayed for Security Change Detail events. |
67331 |
| On premises file and folder attribute change events are split into attribute added and attribute removed events |
364277 |
|
Additional search filters:
- Target is Global Catalog
- Target is Exchange Server
|
364579 |
| Correlated Activity search filters provide the pre defined values of "Yes" and "No" |
368654 |
June 28, 2022
| Enhancement |
ID |
|
Ability to identify critical activity relating to Change Auditor File System events.
Additional built in searches:
- FS all file changes with suspicious file extensions in the past 30 days
-
Unusual increase in share access permission changes in the past 30 days
-
Unusual increase in failed file access attempts in the past 30 days
-
Unusual increase in file deletes in the past 30 days
-
Unusual increase in file renames in the past 30 days |
363604 |
| Ability to see File System Logon Id detail for Windows file system events. |
360573 |
| File System built in searches for Windows, EMC, and NetApp events. |
359522 |
| NetApp and EMC folder and file "Permission changed" and "Inherited permissions changed" events are now displayed as a single "Permissions Updated" event. |
358345 |
| File retention of 30 days for all File System events. |
177922 |
|
Ability to identify critical activity relating to on-premses and Active Directory Federation Services sign ins.
Additional built in searches:
-
Unusual increase in successful on-premises sign-ins in the past 30 days
-
Unusual increase in failed on-premises sign-ins in the past 30 days
-
Unusual increase in successful AD Federation Services sign-ins in the past 30 days
-
Unusual increase in failed AD Federation Services sign-ins in the past 30 days |
365728 |
June 14, 2022
| Enhancement |
ID |
| Identify critical activity relating to Active Directory Database access. |
362643 |
| Ability to audit Active Directory Database events to monitor the Active Directory database (NTDS.dit) file for possible unauthorized access attempts. This includes a new built in search (AD DB all events in the past 7 days) and the ability to filter searches on the Active Directory Database service. |
362642 |
June 7, 2022
| Enhancement |
ID |
| The Apply button on the Edit Layout flyout has been updated to Preview to reflect the actual function. |
350662 |
| File System added to the Top Active Users on the dashboard. |
361676 |
May 12, 2022
| Enhancement |
ID |
| Support for GCC tenants for organizations in the US region. |
350974 |
| Ability to select a donut chart for the search results visualization. |
320192 |
| Ability to select a bar chart for the search results visualization. |
328121 |
March 15, 2022
| Enhancement |
ID |
| Ability to audit adminCount attribute changed events. |
328327 |
|
Ability to audit all SIDHistory attribute changes and all high severity SIDHistory attribute changes. |
328325 |
| Administrative privilege elevation detected activity added to the critical activity tile on the dashboard. |
328328 |
| Potential SIDHistory injection detected activity added to the critical activity tile on the dashboard. |
328326 |
| Domain level group policy linked changes added to the critical activity tile on the dashboard. |
328320 |
| Irregular domain controller registration detected (DCShadow) activity added to the critical activity tile on the dashboard. |
328324 |
| Ability to audit AD irregular domain controller registration events. |
328323 |
| Legend added to the donut chart that displays critical activity. |
280484 |
| Ability to audit Group Policy domain level linked change. |
328322 |
| AD user ServicePrincipalName attribute changes detected event added to the Critical Activity dashboard. |
315396 |
| Provisioning status check. |
291656 |
| Provisioning status check for a Change Auditor integration. |
291657 |
February 1, 2022
| Enhancement |
ID |
| AD User ServicePrincipalName attribute changes in the past 30 days built in search |
315203 |
| Ability to select a time series chart for the search results visualization. |
318039 |
January 18, 2022
| Enhancement |
ID |
| Ability to subscribe to Anomaly Activity and Audit Health alert plans directly from the Audit Health tile in the dashboard. |
302112 |
| Ability to easily preview and customize the columns that display in generated reports. |
302838 |
Nov 23, 2021
| Enhancement |
ID |
|
Additional built in search under the Audit Health category:
- Change Auditor Installation activity changes in the past 30 days search
|
281274 |
|
Ability to audit when an Audit Hybrid Suite for Office 365 subscription and Audit Hybrid Suite for Active Directory subscription is going to expire through the “Service subscription expiring” event which is logged when subscription expires in 30, 60 and 90 days. |
282927 |
November 9, 2021
| Enhancement |
ID |
| Built in Audit Health and Anomaly Activity alerts plans and associated built in alerts for all searches within the Audit Health and Anomaly Activity categories. |
289369 |
October 12, 2021
| Enhancement |
ID |
| Ability to audit Change Auditor connection interrupted and Change Auditor connection resumed events. |
280847 |
|
Additional built in search under the Audit Health category: Change Auditor Installation upgrade events in the past 30 days.
Activities audited include:
- Change Auditor upgrade required
- Change Auditor upgrade available
|
281046 |
|
Anomaly detection to help identify unusual spikes in activity, that may indicate a threat to your organization. Including a visualization that details, baselines, anomalies, and total values for the following activity:
- Unusual increase in AD account lockouts
- Unusual increase in failed AD changes
- Unusual increase in permission changes to AD objects
- Unusual increase in tenant sign-in failures
- Unusual increase in successful tenant sign-ins
- Unusual increase in files shared from OneDrive and SharePoint
- Unusual increase in Office 365 activity by guest users
- Unusual increase in Office 365 activity by anonymous users
- Unusual increase in Teams guest participants
|
261904 |
September 28, 2021
| Enhancement |
ID |
|
Additional built in search under the Audit Health category:
- Service activity changes in the past 30 days
|
281276 |
|
Additional built in search under the Audit Health category: Subscription expiring events in the past 90 days
Additional search filters:
- Subscription Name
- Subscription Expiry Date
- Subscription Type
|
282926 |
September 14, 2021
| Enhancement |
ID |
|
Additional built in search under the Audit Health category:
- Change Auditor Installation setting changes in the past 30 days
- Service auditing enabled or disabled events in the past 30 days
|
278731 |
|
Additional built in searches under the Anomaly Activity category:
- Unusual increase in tenant sign-in failure events in the past 30 days
- Unusual increase in AD account lockout events in the past 30 days
- Unusual increase in successful tenant sign-in events in the past 30 days
- Unusual increase in failed AD change events in the past 30 days
- Unusual increase in permission changes to AD object events in the past 30 days
- Unusual increase in files shared from OneDrive and SharePoint events in the past 30 days
- Unusual increase in Office 365 activity by guest user events in the past 30 days
- Unusual increase in Office 365 activity by anonymous user events in the past 30
- Unusual increase in Teams guest participant events in the past 30 days
- All anomaly detected events in past 30 days
|
280820 |
September 7, 2021
|
Additional built in search under the Audit Health category: Change Auditor Installation connectivity events in the past 30 days.
Additional search filters:
- Latest Activity Time
- Latest Event Time Detected
- Correlated Activity
|
280845 |
|
Additional built in search under the Audit Health category: Service activity changes in the past 30 days.
Additional search filters:
- Last Event Time Detected
- Correlated Activity
|
281273 |
Quest Operations and Quest Support have procedures in place to monitor the health of the system and ensure any degradation of the service is promptly identified and resolved. On Demand relies on Azure and AWS infrastructure and as such, is subject to the possible disruption of these services.You can view the following status pages:
