Signing into On Demand is done through Microsoft Entra ID. The customer logs in to the application by providing On Demand user account credentials. The process of registering a Microsoft Entra tenant into On Demand is handled through the well-established Azure Admin Consent workflow. For more information about the consent workflow, please refer the Quest On Demand Global Settings technical documents.
The initial configuration of the connection of Change Auditor to On Demand is done by the Change Auditor administrator using On Demand login credentials previously established in the On Demand web portal. For further details, see the Quest On Demand Global Settings Security Guide.
Quest On Demand is configured with default roles that cannot be edited or deleted and allows you to add custom roles to make permissions more granular. Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform.
For more details, see Adding users to an organization in the On Demand Global Settings User Guide.
List of permissions that can be assigned to users for Audit:
- Can View Audit Event Details
- Can Manage Audit Private Searches
- Can Run Audit Private Searches
- Can Run Audit Shared Searches
- Can Run Audit Search Visualization
- Can Manage Audit Change Auditor Installation Configuration
- Can View Audit Dashboard
- Can Manage Audit Microsoft Entra Tenant Configurations
- Can View Audit Shared Searches
- Can View Audit Event Retention Settings
- Can Manage Audit Shared Searches
- Can Manage Audit Shared Alerts and Shared Notification Templates
- Can Manage Audit Private Alerts and Private Notification Templates
- Can Manage Organization Private Alerts and Private Notification Templates
- Can Manage SpecterOps BloodHound Configuration
- Can Export Data
Audit also makes use of one special role called Manage Audit Organization Private Alerts and Private Notification Templates. This built-in role is the only way that users can be delegated the rights to manage organization private alerts and private notification templates regardless of the user in the organization that owns the alert notification template. Users must be assigned to this role to receive the assigned rights because they cannot be granted this capability via a permission in the standard way. This role is not assigned by default to any user, nor is the right implicitly held by members of On Demand Administrator or Audit Administrator roles the way that other permissions are held.
Security Guardian cryptographic usage is based on Azure FIPS 140-2 compliant cryptographic functions. For more information, see Microsoft-us/azure/storage/blobs/security-recommendations.
Audit uses FIPS 140-2 compliant encryption provided in Microsoft Azure Cloud services.
More information:
The On Demand team follows a strict Quality Assurance cycle.
- Access to source control and build systems is protected by domain security. Only employees on Quest’s corporate network have access to these systems. Therefore, if an On Demand developer leaves the company, they will no longer be able to access On Demand systems.
- All code is versioned in source control.
- All product code is reviewed by another developer before check in.
- In addition, the On Demand development team follows a managed Security Development Lifecycle (SDL) which includes:
- MS-SDL best practices
- Threat modelling
- OWASP guidelines
- Static code analysis is performed on regular basis
- Vulnerability scanning is performed on regular basis
- Segregated Development, Pre-Production, and Production environments. Customer data is not used in Development and Pre-Production environments
On Demand developers go through the same set of hiring processes and background checks as other Quest employees.
