Tchater maintenant avec le support
Tchattez avec un ingénieur du support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Teams built in searches

On Demand Audit provides the following Teams searches:

  • Teams app events in the past 7 days

  • Teams bot events in the past 7 days

  • Teams channel events in the past 7 days

  • Teams client configuration changes in the past 30 days

  • Teams connector events in the past 7 days

  • Teams events in the past 7 days

  • Teams guest access configuration changes in the past 30 days

  • Teams guest members added in the past 7 days

  • Teams member role changes in the past 7 days

  • Teams member changes in the past 7 days

  • Teams notification and feeds policy changes in the past 30 days

  • Teams organization setting changes in the past 30 days

  • Teams tab events in the past 7 days

  • Teams targeting policy changes in the past 30 days

  • Teams team created events in the past 30 days

  • Teams team deleted events in the past 30 days

  • Teams team setting changes in the past 7 days

  • Teams user sign-in events in the past 7 days

Security Guardian built in searches

On Demand Audit provides the following Security Guardian built in searches:

  • All Security Guardian events in the past 24 hours

  • All Security Guardian events in the past 7 days

  • SG Detected Anomaly indicators in the past 30 days

  • SG Detected TTP indicators in the past 30 days

  • SG Hygiene indicators in the past 30 days

  • SG Detected Protected indicators in the past 30 days

  • SG Privileged Microsoft Entra objects added in the past 30 days

  • SG Privileged Microsoft Entra objects certified in the past 30 days

  • SG Privileged Microsoft Entra objects removed in the past 30 days

  • SG Privileged Microsoft Entra objects uncertified in the past 30 day

  • SG Tier Zero objects added in the past 30 days

  • SG Tier Zero objects removed in the past 30 days

  • SG Tier Zero objects certified in the past 30 days

  • SG Tier Zero objects uncertified in the past 30 days

  • SG all indicators muted and unmuted in the past 30 days

  • SG all objects muted and unmuted in the past 30 days

  • SG all Tier Zero objects protected in the past 30 days

  • SG all AD DB objects protected in the past 30 days

  • Shields Up enabled in the past 30 days

  • Shields Up disabled in the past 30 days

  • Shields Up override account changes in the past 30 days

Filtering Searches

To streamline and customize your search experience, you can construct queries using groups of clauses with flexible logic options. Each group allows you to define whether clauses within it are evaluated using AND or OR logic, and you can also choose how multiple groups interact with one another. Within each clause, you specify a field, condition, and value, and you can easily add or remove clauses and groups to refine your results.

For a complete list of available columns, filters, and predefined values, refer to Appendix A: Available search columns and filters. These resources will help you locate the information you need to effectively secure your environment.

 

TIP:Tips for Effective Searching

  • Use All of when you're looking for very specific matches.

  • Use Any of when you're exploring broader patterns or possibilities.

  • Combine multiple clauses within a group to refine logic before applying group-level connectors.

  • You can choose only one type of connector between clause groups: Either all ANDs (narrow search, or all ORs (broader search). You cannot mix AND and OR between groups.

What Are Clause Groups?

Clause groups are sets of conditions (clauses) that define what data you're looking for. Each clause typically includes:

  • A field (such as, Time Detected, Action, Country)

  • A condition.

    The available string operators include: equals, does not equal, contains, does not contain, in, not in, starts with, does not start with, ends with, does not end.

    The available integer operators for sign-in events include equals_number, does_not_equal_number, greater_than, greater_than_or_equals, less_than, less_than_or_equals, and between_number.

The available date and time operators include during last number of days or hours (By default, this is set to the last 7 days for all new searches.), between, before, and after.

  • A value (such as, 7 days, Delete Object, Canada)

You can add multiple clauses to a group, and multiple groups to a query.

 

Using "Any of" vs. "All of" in Clause Group Filters

When building advanced search queries, clause groups allow you to organize multiple conditions. The connector option—Any of or All of—controls how these groups are evaluated together.

At the top of the clause group section, use the + to choose how groups are connected:

  • All of (and)

All clause groups must be true for a result to match. Use this when you want to narrow your search.

Example:

Time Detected during last 7 days

AND Action equals Delete Object

AND Country equals Canada

Only results that meet all three conditions will be shown.

  • Any of (or)

At least one clause group must be true for a result to match. Use this when you want to broaden your search.

Example:

Time Detected during last 7 days

OR Action equals Delete Object

OR Country equals Canada

Results that meet any one of these conditions will be shown.

 

Example Use Case: Filtering Events by Access Policy

Goal: A security analyst wants to find events from the last 7 days that match either of two access control policies.

Step-by-Step Setup:

  • Create Clause Group 1:

Time Detected → during last → 7 days

Access Control Policy → contains → "AdminAccess"

  • Create Clause Group 2:

Time Detected → during last → 7 days

Access Control Policy → contains → "GuestAccess"

  • Set Clause Group Connector:

Use the top clause group connector menu to select Any of or).

This ensures the query returns events that match either group.

  • Result:

The system will return:

Events from the last 7 days with AdminAccess, or

Events from the last 7 days with GuestAccess

To use the search filter:

  1. Under the Searches tab, select the search.
  2. Click the pencil icon to modify the search. The type of search (private or shared) and the current category is displayed at the top of the search.
  3. Edit the search filter as required.

Add the requried search filter and select either Any of (or) or All of (and) to set how the filters are to be evaluatedted together.

Add any required additional sets of conditions (clause groups) for the filter by selecting Add New Clause Group, and choosing whether they shoud be ALL or OR conditions between the clauses.

Creating a custom search

Custom searches allow you to locate and report on the data that is of interest to you. The associated search preview updates as you construct a search to ensure you are getting the desired results. For options, see Customizing the search display.

NOTE:

  • Private search names must be unique among all categories for each user.

  • Shared search name must be unique among all shared searches in all categories in the organization

To create a search

  1. Under the Searches tab, click New Search.
  2. Enter a name for the search.
  3. Click Add to enter the required search criteria.
  4. Select as many filters as required. Search terms are highlighted in the preview (and search results and event details) to allows you to quickly scan for matches. See Filtering Searchesand Appendix A: Available search columns and filters for details.
  5. Click Edit Columns to arrange, add, and remove the columns displayed in the search. See Customizing the search display.
  6. Click Save.By default, the new search will be created in the category you have selected when clicking New Search. If required select a different category.
  7. Select whether this is a private or shared search. Working with private and shared searches.
  8. Click Save.
  9. If required, click Alert, select the required notification template (or create a new one) to notify the required individuals , click Save. See Working with alerts and notification templates
Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation