On Demand Audit Current

The Audit Health tile allows you to easily see the status of your auditing configuration, identify any issues, and make the required updates to ensure you are keeping informed of the vital and critical changes to your organization.

From here, you can grant required consent for the tenant, view subscription information, view the auditing configuration settings, view results in a search, and subscribe to the built-in alert plans.

NOTE: Specific permissions are required for the following actions:

Can Add and Remove Tenants is required to grant consent.
Can Run Private Searches and Can Run Shared Searches are required to view associated results.
Can Manage Azure AD Tenant Configurations for Audit is required to view issues identified for tenants.
Can Manage Change Auditor Installation Configuration is required to view issues identified for Change Auditor.
Can Manage Shared Alerts and Shared Alert Plans and Can Run Shared Searches is required to subscribe to the alert plans.

NOTE:

You have the option to hide items from the dashboard if they do not provide you any value, expose previously hidden items, and dismiss notifications as required.
You have the option to dismiss the ability to subscribe to the available alert plans. Once it has been dismissed, it will no longer be displayed as an option in the Audit Health dashboard.

Possible issues that may be identified include:

Tenant requires additional configuration
Tenant has not been added for auditing
Service subscription will expire soon
Service is not enabled for event collection on the tenant
Event collection has been disabled on the tenant
No Office 365 events have been received from the tenant in the last 24 hours
No Azure AD events have been received from the tenant in the last 24 hours
No Azure AD Sign-in events have been received from the tenant in the last 24 hours
No Change Auditor events have been received in the last 24 hours
Change Auditor installation has been paused
Change Auditor installation was removed
Change Auditor installation has not been connected in the last 24 hours
Change Auditor upgrade is required
Change Auditor upgrade is available
Configure SpecterOps BloodHound Enterprise integration
SpecterOps BloodHound Enterprise configuration was removed
SpecterOps BloodHound Enterprise connection failed
Subscribe to Tier Zero alert plan

To subscribe to an alert plan from the Audit Health tile in the dashboard:

Select View Plan for the alert plan that you want to subscribe to.
Edit the alert recipients as required, and click Save.

Identifying critical activity

Working with On Demand Audit > Using the dashboard > Identifying critical activity

The Critical Activity tile highlights security-related activity, including anomaly detection for unusual spikes in activity, that may indicate a threat to your organization and require further investigation.

NOTE: Critical activity events are gathered and displayed based on the services that you have selected to audit.

See Configuring tenant auditing for details on selecting services to audit and Change Auditor Integration for details on accessing on premises events.

Audited Service	Critical activity
Change Auditor / Logon Activity	Local logons to Tier Zero computers NTLM version 1 logons Possible Golden Ticket Kerberos exploits Potential kerberoasting or similar Kerberos attack detected Tier Zero user logons to computers that are not Tier Zero Unusual increase in AD account lockouts Unusual increase in failed on-premises sign-ins Unusual increase in successful on-premises sign-ins
Change Auditor / Active Directory	Administrative privilege elevation detected AD user ServicePrincipalName attribute changes detected Active Directory critical group membership changes Active Directory schema configuration changes Active Directory forest configuration changes Active Directory security changes Domain level group policy linked changes detected Irregular AD replication activity detected Irregular domain controller registration detected (DCShadow) Potential sIDHistory injection detected Security changes to Tier Zero computer objects Security changes to Tier Zero domain objects Security changes to Tier Zero group objects Security changes to Tier Zero group policy objects Security changes to Tier Zero user objects Tier Zero computer changes Tier Zero domain and forest configuration changes Tier Zero group changes Tier Zero group policy object changes Tier Zero user changes Unusual increase in failed AD changes Unusual increase in permission changes to AD objects
Change Auditor / Active Directory Federation Services	Unusual increase in successful AD Federation Services sign-ins Unusual increase in failed AD Federation Services sign-ins
Change Auditor / File System	AD Database (NTDS.dit) access attempt detected AD Database (NTDS.dit) file modification attempt detected All file changes with suspicious file extensions Unusual increase in share access permission changes Unusual increase in failed file access attempts Unusual increase in file deletes Unusual increase in file renames
Change Auditor / Group Policy	Group Policy changes
Azure Active Directory - Audit Logs	Azure Tier Zero application changes Azure Tier Zero group changes Azure Tier Zero role changes Azure Tier Zero service principal changes Azure Tier Zero tenant level and directory activity Azure Tier Zero user changes Azure Active Directory critical directory role changes Azure Active Directory tenant level configuration changes Azure Active Directory cloud-only users created
Azure Active Directory - Sign Ins	Azure Tier Zero principal logons Azure Tier Zero AD risk events Unusual increase in tenant sign-in failures Unusual increase in successful tenant sign-ins
Exchange Online - Administrative Activity	OneDrive and SharePoint files shared with external users OneDrive and SharePoint anonymous links Office 365 activity from external users
Sharepoint Online or OneDrive For Business	Unusual increase in files shared from OneDrive and SharePoint Unusual increase in Office 365 activity by guest users Unusual increase in Office 365 activity by anonymous users
Microsoft Teams	Unusual increase in Teams guest participants

You can easily dive deeper into the activity by viewing the associated search. For details on the searches associated with the critical activity see Working with searches, Working with Azure Active Directory Searches and Using built in searches.

To view a full list of critical activity as well as visualizations to help understand the possible threat, see Working with critical activity.

Identifying the top active users

Working with On Demand Audit > Using the dashboard > Identifying the top active users

The Top Active Users tile displays the top five active users in the last 24 hours with each service represented by a different color bar. By default, data for all available services is displayed.

To view the exact number of events per service for a particular user, hover over a section of the bar. To dive deeper into the activity details, click the section of the bar that represents the service of interest.

NOTE Other than On Demand Audit activity, which will always be included, the activity that is gathered and displayed is based on the services that you have selected to audit.

See Configuring tenant auditing for details on selecting services to audit and Change Auditor Integration for details on accessing on premises events.

Audited Service	Activity
Change Auditor	Active Directory Active Directory Federation Services (Change Auditor version 7.1.2 or later) Active Directory Database Group Policy Logon Activity
OneDrive for Business	OneDrive
SharePoint Online	SharePoint
Micorosft Teams	Teams
Azure Active Directory - Audit Logs Azure Active Directory - Sign-ins	Azure Active Directory
Exchange Online - Administrative Activity Exchange Online - Mailbox Activity	Exchange

To view the top active users for a specific service

Choose the required service from the dropdown list, and click Select.
To exclude users from being included in the calculations and display, select the Edit Excluded Users and add and remove users as required.
Click Close to save your selection.

Working with My Favorite Searches

Working with On Demand Audit > Using the dashboard > Working with My Favorite Searches

The My Favorite Searches section of the dashboard allows you to pin the top five searches that you have defined as having a high value in your organization. From here you can see the number of events, select to view the search details, and manage which searches to displayed in this view.

By default, the following searches are listed:

Important changes for critical Azure AD directory roles in the past 7 days
Azure AD role member changes in the past 7 days
Cloud-only Azure AD users created in the past 180 days
Azure AD tenant level configuration changes in the last 180 days
Office 365 events from EXT Users in the past 7 days

To manage the searches displayed on the dashboard:

From My Favorite Searches, click Edit Searches.
Add and remove searches as required by selecting the category and associated search. You can also drag and drop to specify the search order on the dashboard based on priority.
Once you have made all your selections, click OK.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation

Veuillez sélectionner votre produit

Afin de mieux répondre à vos besoins, précisez l'objet du tchat:

Solutions recommandées pour votre problème

On Demand Audit Current - User Guide

Monitoring Audit Health status

Identifying critical activity

Identifying the top active users

Working with My Favorite Searches