Chatta subito con l'assistenza
Chat con il supporto

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Customizing the search display

When you create a search, a preview displays to help ensure the search criteria meet your needs. You can easily customizing the columns that display in the generated report and set how you want the report results displayed through the visualization settings.

NOTE: Some columns are included by default, such as Time Detected, User (Actor), Activity, Target, Origin IP, Service, Status, and Tenant Name. For a list of available columns, see Appendix A: Available search columns and filters

To customize the display of the search results

  1. As you create a search, click Edit Columns.
  2. Drag and drop the columns to change the order.
  3. To remove a column, click the - next to the appropriate column.
  4. To add a column, click Add Column.
  5. Select the Visualize menu and choose how to visualize the results. You can choose between a Chart & Grid, Grid only, or Chart only.
  6. If you select to display as a chart & Grid or Chart, you can further refine the display by selecting the type of chart (horizontal bar chart, time series, or donut) and how you want to group and summarize the data.
  7. Click Preview to view your changes.
  8. Click Save to save your changes.
If you have selected to visualize the search in a donut or bar chart, you can add and remove items from the display by clicking to clear or enable them from the legend, and select a section of the donut or bar to view more details.

 

Viewing search results and event details

When selecting an event that has been returned from a search, you can view all the details of the activity that triggered the event. If the search contains string filters, the string is highlighted in the search results and event details to allow you to quickly scan for matches.

A summary of important event details is displayed at the top of the event details that includes:

  • Activity Name
  • Service
  • Time Detected
  • User display name
  • Target
  • Location
  • Status (Successful/Failed)

For Microsoft Entra, Active Directory, and Group Policy events, the summary also displays the following:

  • Property After Value
  • Property Before Value
  • Property Name

To view event details

  1. Select the Searches tab.
  2. Locate the required search in the list of categories.
  3. Highlight the search and click the arrow icon to run it.
  4. Click an event to open a new window that contains all the event details.
  5. Click the Event Link to create a dedicated page for the event details within On Demand Audit. Once created you can view the information, copy the URL to share with others, or bookmark it for future use.

Copying event details

When selecting an event that has been returned from a search, you can copy the event details to clipboard to paste into another application.

To copy event details

  1. Select the Searches tab.
  2. Locate the required search in the list of categories.
  3. Highlight the search and click the arrow icon to run it.
  4. Click an event to open a new window that contains all the event details.
  5. Select Copy to clipboard to copy all event details to a clipboard.

Modifying a search

You can easily modify a search to gather the information your require as long you have the right to do so.

 

NOTE:

  • Only custom searches can be modified.
  • Built in searches cannot be modified. However, you can create a new search based on it and customize the settings to suit your needs. See Creating a search from an existing search.

To modify a search

  1. Under the Searches tab, select the search.
  2. Click the pencil icon to modify the search. The type of search (private or shared) and the current category is displayed at the top of the search.
  3. Edit the search name, remove, add, edit search criteria as required. Search terms are highlighted in the preview (and search results and event details) to allows you to quickly scan for matches. See Filtering Searchesand Appendix A: Available search columns and filters for details.
  4. Change the category, if required by selecting a new category from the drop down list.
  5. Click Edit Columns to rearrange, add, and remove columns as required and select the visualization options.
    1. Drag and drop the columns to change the order.
    2. To add a column, click Add Column.
    3. To remove a column, click the - next to the appropriate column.
    4. Select the Visualize menu ad choose how to visualize the results. You can choose between a Chart & Grid, Grid only, or Chart only. If you select to display as a chart, you can further refine the display by selecting the type of chart and how you want to group and summarize the data.
    5. Click Apply when you are satisfied with the edits.
  6. Select whether this is a private or shared search. Working with private and shared searches.
  7. Click Save to apply the changes.
  8. If required, click Alert, select the required notification template (or create a new one) to notify the required individuals , click Save. See Working with alerts and notification templates
Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione