Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Office 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Auditing risk events

On Demand Audit captures both the risk event as well as when an administrator takes action on the detected risk.

IMPORTANT: To capture and view this information, ensure that you have enabled auditing of the Azure Active Directory - Audit Logs module.

This following information is listed in the Azure AD risk event's activity.:

  • "New risk event detected" event when the Microsoft Azure Active Directory Identity Protection portal creates a new risk event.
  • "Admin dismisses risk event", "Admin reactivates risk" event, and "Admin resolves risk" when the Microsoft audit logs creates an event for an administrator's actions.

Auditing Office 365

On Demand Audit audits activity for Exchange Online, OneDrive for Business, Teams, and SharePoint Online that corresponds to the events in the Office 365 Security & Compliance Center unified audit log.

You can easily track and identify important activities such as:

  • When Exchange Online mailboxes are created, deleted, and accessed.
  • Permission changes to see which users are granted access to a mailbox.
  • Mailbox activity by non-owner such as messages sent, read, deleted, and folders deleted
  • Mailbox activity by owner for sensitive and high value mailboxes.
  • When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.
  • Teams user and administrator activity such as when teams (and associated settings, members, and applications) are created, updated, removed and when users sign in.

 

For details on running the searches and creating custom searches based off the built in searches, see:

Appendix A: Working with Filters

The following columns, filters, and pre-defined values are available to help you locate the information you need to secure your environment.

Available search filters and columns

Filter Value to enter/ available pre-defined values to select
Access Control Policy
  • Enter an associated value
Action

Select from the following pre-defined values:

  • Add Attribute
  • Add Object
  • Delete Attribute
  • Delete Object
  • Modify Attribute
  • Move Object
  • Other Actions
  • Rename Object
Activity
  • Enter an associated value
Activity Category

  • Active Directory Federation Services - Server Farm

  • Active Directory Federation Services - Claims Provider Trusts
  • Active Directory Federation Services - Authentication Methods
  • Active Directory Federation Services - Relying Party Trusts
  • Active Directory Federation Services - Endpoints
  • AD Query
  • Alert Plan
  • Alert Rule

  • Anonymous Cloud Activity

  • Anonymous Web Site Activity

  • Audit Configuration

  • Authentication Activity

  • Authentication Services Monitoring

  • Azure Active Directory

  • Azure Active Directory - Administrative Units

  • Azure Active Directory - Application
  • Azure Active Directory - B2B

  • Azure Active Directory - Directory

  • Azure Active Directory - Group

  • Aure Active Directory - Policy

  • Azure Active Directory - Resource

  • Azure Active Directory - Risk Event
  • Azure Active Directory - Role

  • Azure Active Directory - Sign-in

  • Azure Active Directory - User

  • Category

  • Change Auditor Internal Auditing

  • Computer Monitoring

  • Configuration Monitoring

  • Connection Object

  • Custom AD Object Monitoring

  • Custom ADAM Object Monitoring
  • Custom Computer Monitoring

  • Custom File System Monitoring

  • Custom Group Monitoring

  • Custom Registry Monitoring

  • Custom User Monitoring

  • Defender

  • DNS Service

  • DNS Zone

  • Domain Configuration

  • Domain Controller Authentication

  • Dynamic Access Control

  • EMC

  • Exchange ActiveSync Monitoring

  • Exchange Administrative Group

  • Exchange Distribution List

  • Exchange Mailbox Monitoring

  • Exchange Organization

  • Exchange Permission Tracking

  • Exchange Security Group

  • Exchange User

  • Fault Tolerance

  • File System Access Denied
  • File System Configuration Change
  • File System Content Change
  • File System Content Access
  • File System Security Change

  • FluidFS

  • Forest Configuration

  • FRS Service

  • Full Text Event

  • Group Policy Item

  • Group Policy Object

  • Group Monitoring

  • IP Security

  • Link Configuration

  • Local Group Monitoring
  • Local User Monitoring

  • Logon Session

  • NetApp

  • NETLOGON Service

  • None

  • NTDS Service

  • Office 365 Exchange Online Administration

  • Office 365 SharePoint Online
  • Office 365 OneDrive for Business
  • Office 365 Exchange Online Mailbox

  • OU

  • Replication Transport

  • Schema Configuration
  • Search

  • Security Change Detail

  • Session Event

  • Service Monitoring

  • SharePoint Document

  • SharePoint Document Library

  • SharePoint Farm

  • SharePoint Folder

  • SharePoint List

  • SharePoint List Item

  • SharePoint Permission
  • SharePoint Security Group

  • SharePoint Site

  • SharePoint Site Collection

  • Site Configuration

  • Site Link Bridge Configuration

  • Site Link Configuration

  • Skype for Business Administration

  • Skype for Business Configuration

  • SQL Broker Event

  • SQL CLR Event

  • SQL Cursors Event

  • SQL Data Level

  • SQL Database Event

  • SQL Deprecation Event

  • SQL Errors and Warnings Event

  • SQL Full Text Event

  • Scan Event

  • SQL Locks Event

  • SQL Objects Event
  • SQL OLEDB Event

  • SQL Performance Event

  • SQL Progress Report Event
  • SQL Query Notifications Event
  • SQL Scan Event

  • SQL Security Audit Event

  • SQL Server Event

  • SQL Session Event

  • SQL Stored Procedures Event

  • SQL Transaction Event

  • SQL TSQL Event

  • SQL User-Configurable Event

  • Subnets

  • System Events

  • SYSVOL

  • Threat Detection - Alert

  • Threat Detection - Risky User

  • Transactions Event

  • User Cloud Activity

  • User Web Site Activity

  • VMware Account

  • VMware Alarm

  • VMware Authorization

  • VMware Cluster

  • VMware Custom Field

  • VMware Datacenter

  • VMware Datastore

  • VMware DVPortgroup

  • VMware Dvs

  • VMware Generic

  • VMware Host

  • VMware License

  • VMware Profile

  • VMware Resource Pool

  • VMware Scheduled Task

  • VMware Session

  • VMware Task

  • VMware Template Upgrade

  • VMware Upgrade

  • VMware Virtual Machine

Activity Id
  • Enter an associated value
Activity Time
  • Enter days or hours
Actor Id
  • Enter an associated value
Actor Name
  • Enter an associated value
Actor Object Id
  • Enter an associated value
Actor PUID
  • Enter an associated value
Actor Service Principle Name
  • Enter an associated value
Actor User Principal Name
  • Enter an associated value
AD Authorization Port
  • Enter an associated value
AD Kerberos
  • Enter an associated value
AD Security Change Applies To
  • Enter an associated value
AD Security Change Condition
  • Enter an associated value
AD Security Change Permission
  • Enter an associated value
AD Security Change Type
  • Enter an associated value
AD Simple Bind
  • Enter an associated value
AD SSL/TLS
  • Enter an associated value
Additional Details
  • Enter an associated value
Additional Info
  • Enter an associated value
Add-on Guid
  • Enter an associated value
Add-on Name
  • Enter an associated value
Add-on Type

Select from the following pre-defined values:

  • Bot
  • Connector
  • Tab
  • App
Affected Items
  • Enter an associated value
Agent Domain Fully Qualified Domain Name
  • Enter an associated value
Agent Forest Name
  • Enter an associated value
Agent Fully Qualified Domain Name
  • Enter an associated value
Agent Id
  • Enter an associated value
Agent OS Version
  • Enter an associated value
Agent Site Name
  • Enter an associated value
Alert Plan Name
  • Enter an associated value
Alert Plan Type

Select from the following pre-defined values:

  • Shared Alert Plan
  • Private Alert Plan
Alert Recipient
  • Enter an associated value
Alert Recipients
  • Enter an associated value
Alert Rule Name
  • Enter an associated value
Alert Rule Type

Select from the following pre-defined values:

  • Shared Alert Rule
  • Private Alert Rule
Application Id
  • Enter an associated value
Application Name
  • Enter an associated value
Attribute Name
  • Enter an associated value
Atypical Location

Select from the following pre-defined values:

  • Yes
  • No
Audit Item
  • Enter an associated value
Audit Source
  • Enter an associated value
Authentication Method
  • Enter an associated value
Authentication Protocol

Select from the following pre-defined values:

  • Kerberos
  • NTLM
  • Unknown
Authentication Protocol Version

Select from the following pre-defined values:

  • V1
  • V2
Auto Update From Federation Metadata

Select from the following pre-defined values: 

  • Yes
  • No
Azure AD Activity Operation Type
  • Enter an associated value
Azure AD Activity Type
  • Enter an associated value
Azure AD Category
  • Enter an associated value
Azure AD Result Description
  • Enter an associated value
Browser Authentication URL
  • Enter an associated value
Category Name
  • Enter an associated value
Category Type

Select from the following pre-defined values:

  • Shared Category
  • Private Category
Channel Name
  • Enter an associated value
Channel Guid
  • Enter an associated value
Channel Type

Select from the following pre-defined valus:

  • Private
  • Standard
Change Auditor Event Class ID
  • Enter an associated value
Change Auditor Event Class Name
  • Enter an associated value
Change Auditor Facility ID
  • Enter an associated value
Change Auditor Facility Name
  • Enter an associated value
City
  • Enter an associated value
Claims Provider Trust Name
  • Enter an associated value
Client Info String
  • Enter an associated value
Client IP Address
  • Enter an associated value
Client Machine Name
  • Enter an associated value
Client Process Name
  • Enter an associated value
Client Version
  • Enter an associated value
Cmdlet Name
  • Enter an associated value
Comment
  • Enter an associated value
Correlated Activity

Select from the following pre-defined values:

  • Yes
  • No
Coordinator Id
  • Enter an associated value
Correlation Id
  • Enter an associated value
Country
  • Enter an associated value
Creator
  • Enter an associated value
Cross-Mailbox Operations
  • Enter an associated value
Custom Event
  • Enter an associated value
Destination File Extension
  • Enter an associated value
Destination FileName
  • Enter an associated value
Destination Folder
  • Enter an associated value
Destination MailboxId Id
  • Enter an associated value
Destination MailboxId Owner Master Account Sid
  • Enter an associated value
Destination MailboxId Owner Sid
  • Enter an associated value
Destination MailboxId Owner UPN
  • Enter an associated value
Destination relative URL
  • Enter an associated value
Detection Timing

Select from the following pre-defined values:

  • Near Realtime
  • Not Defined
  • Offline
  • Realtime
Device Information
  • Enter an associated value
Distribution Group Name
  • Enter an associated value
Domain Name
  • Enter an associated value
Enabled

Select from the following pre-defined values:

  • Yes
  • No
Error Code
  • Enter an associated value
Event Data
  • Enter an associated value
Event Id
  • Enter an associated value
Event Source
  • Enter an associated value
Event Source Application
  • Enter an associated value
Event Version
  • Enter an associated value
External Access
  • Enter an associated value
Failure Reason
  • Enter an associated value
File System Attribute

  • Enter an associated value

File System Category

  • Enter an associated value

File System Logon Id

  • Enter an associated value

File System Object Type

  • Enter an associated value

File System Security Change Applies To

  • Enter an associated value

File System Security Change Condition

  • Enter an associated value

File System Security Change Permission

  • Enter an associated value

File System Security Change Type

  • Enter an associated value

File System Shadow Copy

  • Enter an associated value

File System Share Name

  • Enter an associated value

File System SID

  • Enter an associated value

Folder
  • Enter an associated value
Folder Path

  • Enter an associated value

Has file system security change condition

Select from the following pre-defined values:

  • Yes
  • No
Has no from value

Select from the following pre-defined values:

  • Yes
  • No
Identifiers
  • Enter an associated value
Initiator User Mail
  • Enter an associated value
Initiator User Name
  • Enter an associated value
Initiator User SID
  • Enter an associated value
Installation Id
  • Enter an associated value
Installation Name
  • Enter an associated value
Internal Correlation Id
  • Enter an associated value
Is Linked Group Policy Change

Select from the following pre-defined values:

  • False
  • True
Item type
  • Enter an associated value
Kerberos Ticket Lifetime (Hours)
  • Enter an associated value
Latest Activity Time
  • Enter the required time frame
Latest Event Time Detected
  • Enter the required time frame
Logon Begin Type

  • Select from the following pre-defined values:

    • Additional logon

    • Concurrent user disconnected
    • Existing logon
    • Lock
    • Logoff
    • Logon
    • None
    • Remote logoff
    • Remote logon
    • Screensaver turned off
    • Screensaver turned on
    • Shutdown
    • Unlock
    • Logon Duration
    • Enter an associated value
    Logon End
    • Enter days or hours
    Logon End Type

    Select from the following pre-defined values:

    • Additional logon
    • Concurrent user disconnected
    • Existing logon
    • Lock
    • Logoff
    • Logon
    • None
    • Remote logoff
    • Remote logon
    • Screensaver turned off
    • Screensaver turned on
    • Shutdown
    • Unlock
    Logon Session End
    • Enter days or hours
    Logon Session Start
    • Enter days or hours
    Logon Start
    • Enter days or hours
    Logon Type (Exchange Online)

    Select from the following pre-defined values:

    • Admin
    • Best Access
    • Delegated
    • Delegated Admin
    • Owner
    • System Service
    • Transport
    • Unknown
    Logon Type (Windows)

    Select from the following pre-defined values:

    • None
    • Remote Interactive
    • Domain Authentication
    • User Session
    • Interactive
    • Network
    • All
    Logon User Display Name
    • Enter an associated value
    Logon User Sid
    • Enter an associated value
    Machine Domain Info
    • Enter an associated value
    Machine Id
    • Enter an associated value
    Mailbox Guid
    • Enter an associated value
    Mailbox Name
    • Enter an associated value
    Mailbox Owner Master Account Sid
    • Enter an associated value
    Mailbox Owner Sid
    • Enter an associated value
    Mailbox Owner UPN
    • Enter an associated value
    Malware Name
    • Enter an associated value
    Max Behavior Level
    • Enter an associated value
    MFA Authentication Detail
    • Enter an associated value
    MFA Authentication Method
    • Enter an associated value
    MFA Required

    Select from the following pre-defined values:

    • Yes
    • No
    MFA Result
    • Enter an associated value
    Modified Object
    • Enter an associated value
    Modified Properties
    • Enter an associated value
    Monitor Federation Metadata

    Select from the following pre-defined values:

    • Yes
    • No
    NTLM Impersonation Level

    Select from the following pre-defined values:

    • Default
    • Anonymous
    • Identify
    • Impersonate
    • Delegate
    NTLM Key Length
    • Enter an associated value
    Object Id
    • Enter an associated value
    Office365 Organization Id
    • Enter an associated value
    Organization Name
    • Enter an associated value
    Origin AD Site Name
    • Enter an associated value
    Origin IP Address
    • Enter an associated value
    Origin IPv4 Address
    • Enter an associated value
    Origin IPv6 Address
    • Enter an associated value
    Origin Name
    • Enter an associated value
    Originating Server
    • Enter an associated value
    Parameters
    • Enter an associated value
    Parent Event Id
    • Enter an associated value
    Policy Setting

    • Access Credential Manager as a trusted caller

    • Access This Computer From The Network

    • Account Lockout Duration

    • Account Lockout Threshold

    • Account Logon: Audit Credential Validation

    • Account Logon: Audit Kerberos Authentication Service

    • Account Logon: Audit Kerberos Service Ticket Operations

    • Account Logon: Audit Other Account Logon Events

    • Account Management: Audit Application Group Management

    • Account Management: Audit Computer Account Management

    • Account Management: Audit Distribution Group Management

    • Account Management: Audit Other Account Management Events

    • Account Management: Audit Security Group Management

    • Account Management: Audit User Account Management

    • Accounts: Administrator Account Status

    • Accounts: Guest Account Status

    • Accounts: Limit Local Account Use Of Blank Passwords To Console Logon Only

    • Accounts: Rename Administrator Account

    • Accounts: Rename Guest Account

    • Act As Part Of The Operating System

    • Add Workstations To Domain

    • Adjust Memory Quotas For A Process

    • Allow Log On Locally

    • Allow Log On Through Terminal Services

    • Application Data Folder options

    • Application Data Folder target path

    • Audit Account Logon Events

    • Audit Account Management

    • Audit Directory Service Access

    • Audit Logon Events

    • Audit Object Access

    • Audit Policy Change

    • Audit Privilege Use

    • Audit Process Tracking

    • Audit System Events

    • Audit: Audit The Access Of Global System Objects

    • Audit: Audit The Use Of Backup And Restore Privilege

    • Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    • Audit: Shut Down System Immediately If Unable To Log Security Audits

    • Authenticode Settings Enable Trusted Publisher Lockdown option

    • Autoenrollment Settings

    • Automatic Browser Configuration Auto-config URL

    • Automatic Browser Configuration Automatic Configuration option

    • Automatic Browser Configuration Automatic Configuration Time

    • Automatic Browser Configuration Automatic detection option

    • Automatic Browser Configuration Auto-proxy URL

    • Automatic Certificate Request Settings

    • Back Up Files And Directories

    • Basic User Hash Rule

    • Basic User Zone Rule

    • BitLocker Drive Encryption

    • Browser Title

    • Bypass Traverse Checking

    • Central Access Policy

    • Change The System Time

    • Change the time zone

    • Computer Configuration Administrative Template

    • Computer Preference Setting

    • Connection Settings Delete Existing Option

    • Connection Settings Import Option

    • Contacts Folder target path

    • Content Ratings option

    • Create A Pagefile

    • Create A Token Object

    • Create Global Objects

    • Create Permanent Shared Objects

    • Create symbolic links

    • Custom Large Static Logo

    • Custom Small Animated Logo

    • Custom Small Static Logo

    • Debug Programs

    • Default Security Level

    • Delete Existing Channels option

    • Delete Existing Favorites option

    • Deny Access To This Computer From The Network

    • Deny Log On As A Batch Job

    • Deny Log On As A Service

    • Deny Log On Locally

    • Deny Log On Through Terminal Services / Remote Desktop Services

    • Designated File Types

    • Desktop Folder options

    • Desktop Folder target path

    • Detailed Tracking: Audit DPAPI Activity

    • Detailed Tracking: Audit Process Creation

    • Detailed Tracking: Audit Process Termination

    • Detailed Tracking: Audit RPC Events

    • Devices: Allow Undock Without Having To Logon

    • Devices: Allowed To Format And Eject Removable Media

    • Devices: Prevent Users From Installing Printer Drivers

    • Devices: Restrict CD-ROM Access To Locally Logged-On User Only

    • Devices: Restrict Floppy Access To Locally Logged-On User Only

    • Devices: Unsigned Driver Installation Behavior

    • Disallowed Certificate Rule

    • Disallowed Hash Rule

    • Disallowed Path Rule

    • Disallowed Zone Rule

    • Domain Controller: Allow Server Operators To Schedule

    • Domain Controller: LDAP Server Signing Requirements

    • Domain Controller: Refuse Machine Account Password C

    • Domain Member: Digitally Encrypt Or Sign Secure Channel Data (Always)

    • Domain Member: Digitally Encrypt Secure Channel Data (When Possible)

    • Domain Member: Digitally Sign Secure Channel Data (When Possible)

    • Domain Member: Disable Machine Account Password Changes

    • Domain Member: Maximum Machine Account Password Age

    • Domain Member: Require Strong (Windows 2000 Or Later) Session Key

    • Downloads Folder options

    • Downloads Folder target path

    • DS Access: Audit Detailed Directory Service Replication

    • DS Access: Audit Directory Service Access

    • DS Access: Audit Directory Service Changes

    • DS Access: Audit Directory Service Replication

    • Enable Computer And User Accounts To Be Trusted For Delegation

    • Encrypting File System

    • Enforce Password History

    • Enforce User Logon Restrictions

    • Enforcement Files

    • "Enforcement Users

    • Enterprise Trust

    • "Favorites List

    • Favorites options

    • Favorites target path

    • File or Folder

    • Force Shutdown From A Remote System

    • Generate Security Audits

    • Global Object Access Auditing: File system

    • Global Object Access Auditing: Registry

    • Group Policy Container Access

    • Group policy disable computer configuration flag

    • Group policy disable user configuration flag

    • Group policy WMI Filter

    • Impersonate A Client After Authentication

    • Important URLs Home Page URL

    • Important URLs Online Support URL

    • Important URLs Search Bar URL

    • Increase a process working set

    • Increase Scheduling Priority

    • Interactive Logon: Display user information when the session is locked

    • Interactive Logon: Do Not Display Last User Name

    • Interactive Logon: Do Not Require CTRL+ALT+DEL

    • Interactive Logon: Message Text For Users Attempting To Log On

    • Interactive Logon: Message Title For Users Attempting To Log On

    • Interactive Logon: Number Of Previous Logons To Cache (In Case Domain Controller Is Not Available)

    • Interactive Logon: Prompt User To Change Password Before Expiration

    • Interactive Logon: Require Domain Controller Authentication To Unlock Workstation

    • Interactive Logon: Require Smart Card

    • Interactive Logon: Smart Card Removal Behavior

    • Intermediate Certificate Authorities

    • IP Security Policy

    • Links Folder options

    • Links Folder target path

    • Links List

    • Load And Unload Device Drivers

    • Lock Pages In Memory

    • Log On As A Batch Job

    • Log On As A Service

    • Logon/Logoff: Audit Account Lockout

    • Logon/Logoff: Audit IPsec Extended Mode

    • Logon/Logoff: Audit Logon

    • Logon/Logoff: Audit Network Policy Server

    • Logon/Logoff: Audit Other Logon/Logoff Events

    • Logon/Logoff: Audit Special Logon

    • Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

    • Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

    • Manage Auditing And Security Log

    • Maximum Application Log Size

    • Maximum Lifetime For Service Ticket

    • Maximum Lifetime for User Ticket

    • Maximum Lifetime For User Ticket Renewal

    • Maximum Password Age

    • Maximum Security Log Size

    • Maximum System Log Size

    • Maximum Tolerance for Computer Clock Synchronization

    • Microsoft Network Client: Digitally Sign Communications (Always)

    • Microsoft Network Client: Digitally Sign Communications (If Server Agrees)

    • Microsoft Network Client: Send Unencrypted Password To Connect To Third-Party SMB Servers

    • Microsoft Network Server: Amount Of Idle Time Required Before Suspending Session

    • Microsoft Network Server: Digitally Sign Communication (Always)

    • Microsoft Network Server: Digitally Sign Communications (If Client Agrees)

    • Microsoft Network Server: Disconnect Clients When Logon Hours Expire

    • Microsoft network server: Server SPN target name validation level

    • Minimum Password Age

    • Minimum Password Length

    • Modify Firmware Environment

    • Music Folder options

    • Music Folder target path

    • My Documents Folder options

    • My Documents Folder Redirection: My Pictures Options

    • My Documents Folder target path

    • NAP Client Health Registration Settings: CSP

    • NAP Client Health Registration Settings: CSP Key Length

    • NAP Client Health Registration Settings: Hash Algorithm

    • NAP Client Health Registration Settings: Require server verification

    • NAP Client Health Registration Settings: Trusted server group

    • NAP Client Health Registration Settings: Trusted server URL

    • NAP Enforcement Clients: DHCP Quarentine Enforcement Client

    • NAP Enforcement Clients: IPsec Relying Party

    • AP Enforcement Clients: RD Gateway Quarentine Enforcement Client

    • NAP Enforcement Clients: Remote access enforcement client for Windows XP and Windows Vista

    • NAP Enforcement Clients: Wireless EAPOL enforcement client for Windows XP

    • NAP User Interface Settings: Description changed

    • NAP User Interface Settings: Image File changed

    • NAP User Interface Settings: Image File Name changed

    • NAP User Interface Settings: Title changed

    • Network Access: Allow Anonymous SID/Name Translation

    • Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts

    • Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts And Shares

    • Network Access: Do Not Allow Storage Of Credentials Or .NET Passports For Network Authentication

    • Network Access: Let Everyone Permissions Apply To Anonymous Users

    • Network Access: Named Pipes That Can Be Accesssed Anonymously

    • Network Access: Remotely Accessible Registry Paths

    • Network Access: Remotely Accessible Registry Paths And Sub-Paths

    • Network Access: Restrict Anonymous Access To Named Pipes and Shares

    • Network Access: Shares That Can Be Accessed Anonymously

    • Network Access: Sharing And Security Model For Local Accounts

    • Network Security: Allow Local System to use computer identity for NTLM

    • Network security: Allow LocalSystem NULL session fallback

    • Network security: Allow PKU2U authentication requests to this computer to use online identities

    • Network security: Configure encryption types allowed for Kerberos

    • Network Security: Do Not Store LAN Manager Hash Value On Next Password Change

    • Network Security: Force Logoff When Logon Hours Expire

    • Network Security: LAN Manager Authentication Level

    • Network Security: LDAP Client Signing Requirements

    • Network Security: Minimum Session Security For NTLM SSP Based (Including Secure RPC) Clients

    • Network Security: Minimum Session Security For NTLM SSP Based (Including Secure RPC) Servers

    • Network security: Restrict NTLM: NTLM authentication in this domain

    • Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication

    • Network security: Restrict NTLM: Add server exceptions in this domain

    • Network security: Restrict NTLM: Audit Incoming NTLM Traffic

    • Network security: Restrict NTLM: Audit NTLM authentication in this domain

    • Network security: Restrict NTLM: Incoming NTLM traffic

    • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

    • NLM: Location type

    • NLM: Location type permissions

    • NLM: Network icon permissions

    • NLM: Network name

    • NLM: Network name permissions

    • Object Access: Audit Application Generated

    • Object Access: Audit Certification Services

    • Object Access: Audit File Share

    • Object Access: Audit File System

    • Object Access: Audit Filtering Platform Connection

    • Object Access: Audit Filtering Platform Packet Drop

    • Object Access: Audit Handle Manipulation

    • Object Access: Audit Kernel Object

    • Object Access: Audit Other Object Access Events

    • Object Access: Audit Registry

    • Object Access: Audit SAM

    • Object Access: Detailed File Share

    • Password Must Meet Complexity Requirements

    • Perform Volume Maintenance Tasks

    • Pictures Folder options

    • Pictures Folder target path

    • Place Favorites At Top Of List option

    • Policy Change: Audit Authentication Policy Change

    • Policy Change: Audit Authorization Policy Change

    • Policy Change: Audit Filtering Platform Policy Change

    • Policy Change: Audit MPSSVC Rule-Level Policy Change

    • Policy Change: Audit Other Policy Change Events

    • Policy Change: Audit Policy Change

    • Prevent Local Guests Group From Accessing Application Log

    • Prevent Local Guests Group From Accessing Security Log

    • Prevent Local Guests Group From Accessing System Log

    • Privilege Use: Audit Non Sensitive Privilege Use

    • Privilege Use: Audit Other Privilege Use Events

    • Privilege Use: Audit Sensitive Privilege Use

    • Profile System Performance

    • Program Settings option

    • Proxy Settings Exceptions

    • Proxy Settings FTP Proxy

    • Proxy Settings Gopher Proxy

    • Proxy Settings HTTP Proxy

    • Proxy Settings Secure Proxy

    • Proxy Settings Socks Proxy

    • QoS Policy: Application Name

    • QoS Policy: DSCP Value

    • QoS Policy: Local IP

    • QoS Policy: Local IP Prefix Length

    • QoS Policy: Local Port

    • QoS Policy: Protocol

    • QoS Policy: Remote IP

    • QoS Policy: Remote IP Prefix Length

    • QoS Policy: Remote Port

    • QoS Policy: Throttle Rate

    • QoS Policy: URL

    • QoS Policy: URL Recursive

    • QoS Policy: Version

    • Recovery Console: Allow Automatic Administrative Logon

    • Recovery Console: Allow Floppy Copy And Access To All Drives And All Folders

    • Registry key

    • Remove Computer From Docking Station

    • Replace A Process Level Token

    • Reset Account Lockout Counter After Change

    • Restore Files And Directories

    • Restricted Group

    • Restricted Group Member

    • Restricted Group Membership

    • Retain Application Log

    • Retain Security Log

    • Retain System Log

    • Retention Method For Application Log

    • Retention Method For Security Log

    • Retention Method For System Log

    • Saved Games Folder target path

    • Script setting

    • Searches Folder options

    • Searches Folder target path

    • Secure System Partition (For RISC Platforms Only)

    • Security Zones and Privacy option

    • Shut Down The Computer When The Security Audit Log Is Full

    • Shut Down The System

    • Shutdown: Allow System To Be Shut Down Without Having To Log On

    • Shutdown: Clear Virtual Memory Pagefile

    • Software Installation Policy

    • Start Menu Folder options

    • Start Menu Folder target path

    • Starter GPO

    • Starter GPO Computer setting

    • Starter GPO User setting

    • Store Passwords Using Reversible Encryption

    • Synchronize Directory Service Data

    • System Cryptography: Force Strong Key Protection For User Keys Stored On The Computer policy

    • System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, and Signing policy

    • System Objects: Default Owner For Objects Created By Members Of The Administrators Group policy

    • System Objects: Require Case Insensitivity For Non-Windows Subsystems policy

    • System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) policy

    • System Services Policy Service

    • System Services Policy Service Startup Mode

    • System Settings: Optional Subsystems

    • System Settings: Use Certificate Rules On Windows Executables For Software Restriction Policies

    • System: Audit IPsec Driver

    • System: Audit Other System Events

    • System: Audit Security State Change

    • System: Audit Security System Extension

    • System: Audit System Integrity

    • Take Ownership Of Files Or Other Objects

    • Toolbar background Bitmap

    • Toolbar Buttons

    • Trusted People

    • Trusted Publishers

    • Trusted Root Certification Authority

    • Unrestricted Certificate Rule

    • Unrestricted Hash Rule

    • Unrestricted Path Rule

    • Unrestricted Zone Rule

    • Unsigned Non-Driver Installation Behavior

    • User Account Control: Admin Approval Mode for the Built-in Administrator account

    • User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

    • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

    • User Account Control: Behavior of the elevation prompt for standard users

    • User Account Control: Detect application installations and prompt for elevation

    • User Account Control: Only elevate executables that are signed and validated

    • User Account Control: Only elevate UIAccess applications that are installed in secure locations

    • User Account Control: Run all administrators in Admin Approval Mode

    • User Account Control: Switch to the secure desktop when prompting for elevation

    • User Account Control: Virtualize file and registry write failures to per-user locations

    • User Administrative Template setting

    • User Agent String

    • User Credential Roaming

    • User Credential Roaming Options

    • User Group Policy Preference

    • User Software Restriction Basic User Hash Rule

    • User Software Restriction Basic User Path Rule

    • User Software Restriction Basic User Zone Rule

    • User Software Restriction Designated File Types

    • User Software Restriction Disallowed Certificate Rule

    • User Software Restriction Disallowed Hash Rule

    • User Software Restriction Disallowed Path Rule

    • User Software Restriction Disallowed Zone Rule

    • User Software Restriction Enforcement Files

    • User Software Restriction Enforcement Users

    • User Software Restriction Policies Default Security Level

    • User Software Restriction Trusted Publishers

    • User Software Restriction Unrestricted Certificate Rule

    • User Software Restriction Unrestricted Hash Rule

    • User Software Restriction Unrestricted Path Rule

    • User Software Restriction Unrestricted Zone Rule

    • Videos Folder options

    • Videos target path

    • Wireless Network Policy

    Policy Setting Category

    • Account Lockout Policy

    • Additional Rules

    • Administrative Templates: Policy definitions

    • Audit Policies

    • Audit Policy

    • Central Access Policy

    • Change Auditor Protection

    • Event Log

    • File System

    • Folder Redirection

    • GPO Status

    • Internet Explorer Maintenance

    • IP Security Policies on Active Directory

    • Kerberos Policy

    • NAP Client Configuration

    • Network List Manager Policies

    • Password Policy

    • Policy-Based QoS

    • Preferences

    • Public Key Policies

    • Registry

    • Restricted Groups

    • Scripts (Logon/Logoff)

    • Scripts (Startup/Shutdown)

    • Security Levels

    • Security Options

    • Software Installation

    • Software Restriction Policies

    • Software Settings

    • Starter GPO

    • System Services

    • User Rights Assignment

    • Wireless Network Policies

    • WMI Filtering

    Policy Setting List Item
    • Enter an associated value
    Policy Setting Location
    • Enter an associated value
    Previous City
    • Enter an associated value
    Previous Country
    • Enter an associated value
    Previous IP
    • Enter an associated value
    Previous Sign-in Time
    • Enter days or hours
    Previous State
    • Enter an associated value
    Previous User Agent
    • Enter an associated value
    Property Name
    • Enter an associated value
    Property Before Value
    • Enter an associated value
    Property After Value
    • Enter an associated value
    Record Type
    • Enter an associated value
    Relying Party Resource
    • Enter an associated value
    Relying Party Trust Name
    • Enter an associated value
    Relying Party Type
    • Enter an associated value
    Request Id
    • Enter an associated value
    Result Status
    • Enter an associated value
    Risk Activity

    Select from the following pre-defined values:

    • Signin
    • User
    Risk Correlation Id
    • Enter an associated value
    Risk Detail

    Select from the following pre-defined values:

    • None
    • Admin Generated Temporary Password
    • User Performed Secured Password Change
    • User Performed Secured Password Reset

    • Admin Confirmed Signin Safe

    • Hidden
    • Admin Confirmed Signin Compromised
    • Admin Confirmed User Compromised
    • Admin Dismissed All Risk For User
    • Ai Confirmed Signin Safe
    • User Passed MFA Driven By Risk Based Policy
    Risk Detected Time
    • Enter days or hours
    Risk Event Details
    • Enter an associated value
    Risk Event Id
    • Enter an associated value
    Risk Event Status

    Select from the following pre-defined values:

    • Active
    • Closed (MFA Auto-Closed)
    • Closed (Multiple Reasons)
    • Closed (marked as false positive)
    • Closed (resolved)
    • Closed (ignored)
    • Login Blocked
    • Remediated
    Risk Event Time
    • Enter days or hours
    Risk Event Type

    Select from the following pre-defined values:

    • Anonymous IP Risk Event
    • Impossible Travel Risk Event
    • Leaked Credentials Risk Event
    • Malware Risk Event
    • Suspicious IP Risk Event
    • Unfamiliar Location Risk Event
    Risk Level

    Select from the following pre-defined values:

    • Hidden
    • High
    • Low
    • Medium
    • None
    Risk Source
    • Enter an associated value
    Risk State

    Select from the following pre-defined values:

    • At Risk
    • Confirmed Compromised
    • Confirmed Safe

    • Dismissed

    • None
    • Remediated
    Risk Type

    Select from the following pre-defined values:

    • Unlikely Travel
    • Anonymized IP Address
    • Malicious IP Address
    • Unfamiliar Features
    • Malware Infected IP Address
    • Suspicious IP Address
    • Leaked Credentials
    • Investigations Threat Intelligence
    • Generic Admin Confirmed User Compromised
    • Mcas Impossible Travel

    • Mcas Suspicious Inbox Manipulation Rules

    • Investigations Threat Intelligence Signin Linked
    • Malicious IP Address Valid Credentials Blocked IP
    Schema Id
    • Enter an associated value
    Search Name
    • Enter an associated value
    Search Type

    Select from the follwoing pre-defined values:

    • Shared Search
    • Private Search
    Send as User Mailbox Guid
    • Enter an associated value
    Send as User SMTP
    • Enter an associated value
    Send on behalf of User Mailbox Guid
    • Enter an associated value
    Send on behalf of User SMTP
    • Enter an associated value
    Server Farm Name
    • Enter an associated value
    Server Farm Node Name
    • Enter an associated value
    Server Farm Node Type

    Select from the following pre-defined values:

    • Primary computer
    • Secondary computer
    Service

    Select from the following pre-defined values:

    • Active Directory
    • Active Directory Database

    • Active Directory Federation Services

    • Azure Active Directory
    • Exchange
    • Group Policy
    • Logon Activity
    • On Demand Audit
    • OneDrive
    • SharePoint
    • Teams
    Severity

    Select from the following pre-defined values:

    • High
    • Low
    • Medium
    Sharing Target
    • Enter an associated value
    Sharing Target Type
    • Enter an associated value
    Sharing Type
    • Enter an associated value
    Site
    • Enter an associated value
    Siter Url
    • Enter an associated value
    Source File Extesion
    • Enter an associated value
    Source File Name
    • Enter an associated value
    Source Folders
    • Enter an associated value
    Source Name
    • Enter an associated value
    Source relative Url
    • Enter an associated value

    State
    • Enter an associated value
    Status

    Select from the following pre-defined values:

    • Failed
    • Successful
    Status Reason (Change Auditor)

    Selectfrom the following pre-defined values:

    • Failed
    • Protected
    • Succeeded
    Subject
    • Enter an associated value
    Subject Name
    • Enter an associated value
    Subject Object Id
    • Enter an associated value
    Subject PUID
    • Enter an associated value
    Subject Resource Type
    • Enter an associated value
    Subject Service Principle Name
    • Enter an associated value
    Subject Type
    • Enter an associated value
    Subject User Principle Name
    • Enter an associated value
    Subscription Expiry Date
    • Enter an associated value
    Subscription Name
    • Enter an associated value
    Subscription Type
    • Enter an associated value
    Tab Type
    • Enter an associated value
    Target
    • Enter an associated value
    Target AD Forest Name
    • Enter an associated value
    Target Additional Details
    • Enter an associated value
    Target Canonical Name
    • Enter an associated value
    Target Computer Name
    • Enter an associated value
    Target Distinguished Name
    • Enter an associated value
    Target Domain Name
    • Enter an associated value
    Target IP Address
    • Enter an associated value
    Target is Domain Controller

    Select from the following pre-defined values:

    • Yes
    • No
    Target is Global Catalog

    Select from the following pre-defined values:

    • Yes
    • No
    Target is Exchange Server

    Select from the following pre-defined values:

    • Yes
    • No
    Target is Tier Zero

    Select from the following pre-defined values:

    • Yes
    • No
    Target Managed By
    • Enter an associated value
    Target Name
    • Enter an associated value
    Target Object Class
    • Enter an associated value
    Target Object Id
    • Enter an associated value
    Target Organizational Unit CN
    • Enter an associated value
    Target Parent Object Id
    • Enter an associated value
    Target Policy Item
    • Enter an associated value
    Target Policy Section
    • Enter an associated value
    Target PUID
    • Enter an associated value
    Target Resource Type
    • Enter an associated value
    Target SAM Account Name
    • Enter an associated value
    Target Service Principle Name
    • Enter an associated value
    Target Site Name
    • Enter an associated value
    Target Type
    • Enter an associated value
    Target User Mail
    • Enter an associated value
    Target User Principle Name
    • Enter an associated value
    Team Guid
    • Enter an associated value
    Team Name
    • Enter an associated value
    Teams Property Name

    Select from the following pre-defined values:

    • Allow Box in Files tab

    • Accepted channel SMTP domains list

    • Allow DropBox in Files tab

    • Allow Egnyte in Files tab

    • Allow Guest access in Teams

    • Allow Google Drive in Files tab

    • Allow Resource Account Send Messages

    • Allow Share File in Files tab

    • Allow Skype for Business Interop

    • Allow TBot Proactive Messaging

    • Allow users to send emails to channels

    • Guests allow IP video

    • Guests screen sharing mode

    • Guests allow Meet Now

    • Guests allow editing of sent messages

    • Guests allow Deletion of sent messages

    • Guests allow chat

    • Guests allow Giphys in conversations

    • Guests Giphy content rating

    • Guests allow memes in conversations

    • Guests use Stickers in conversations

    • Guests allow immersive reader

    • Guests allow private calls

    • Meeting room device content pin

    • Members can add additional tags

    • Resource Account Content Access

    • Show organization tab in chats

    • Suggested default tags

    • Suggested feeds appear in user's activity feed

    • Trending feeds appear in user's activity feed

    • Tagging permission mode

    • Team owners can override who can apply tags

    • Use Exchange address book policy

    Teams Role Type

    Select from the following pre-defined values:

    • Member
    • Owner
    • Guest
    Tenant Id
    • Enter an associated value
    Tenant Name
    • Enter an associated value
    Time Detected
    • Enter days or hours
    Time Indexed
    • Enter days or hours
    Time Received
    • Enter days or hours
    Token Issuer

    Select from the following pre-defined values:

    • AD Federation Services
    • Azure AD
    Url
    • Enter an associated value
    Url Path
    • Enter an associated value
    User (Actor)
    • Enter an associated value
    User Agent
    • Enter an associated value
    User Display Name
    • Enter an associated value
    User DN
    • Enter an associated value
    User Down-level Logon Name
    • Enter an associated value
    User Id
    • Enter an associated value
    User is Administrator

    Select from the following pre-defined values:

    • False
    • True
    • Unknown
    User is Tier Zero

    Select from the following pre-defined values:

    • Yes
    • No
    User Key
    • Enter an associated value
    User Mail
    • Enter an associated value
    User Organizational Unit
    • Enter an associated value
    User Session Detail

    Select from the following pre-defined values:

    • Computer lock/unlock
    • Computer restart/shutdown
    • Incorrectly finished
    • Screensaver
    • Started before session monitoring service
    • Terminal services connection
    • User logon/logoff
    • User switch
    User Shared With
    • Enter an associated value
    User SID
    • Enter an associated value
    User Type
    • Enter an associated value

    Documentation Roadmap

    The On Demand Global Settings User Guide contains the documentation for tasks that apply to all On Demand modules. This includes:

    • Signing up for Quest On Demand
    • Managing Organizations and Regions
    • Tenant Management
    • Configuration settings (Permissions and subscription information)
    • Audit logs

    Each management module, such as On Demand Audit, contains its own user guide and release notes that contain the following module -specific content:

    • The Release Notes contain a release history and details new features, resolved issues, and known issues.
    • The User Guide contains descriptions and procedures for the tasks you can perform with the management tool.

    Additional resources

    Related Documents

    The document was helpful.

    Select Rating

    I easily found the information I needed.

    Select Rating