Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Change Auditor Integration

Integrating with Change Auditor, provides a single view of activity across hybrid Microsoft environments and turns on-premise events into rich visualizations to investigate incidents faster. Events sent to On Demand Audit include historical events gathered up to 30 days prior to upgrade to Change Auditor 7.0.0 (or higher). Availability of historical events is dependent on how long Change Auditor has been deployed in the environment.

To begin the integration, a connection between Change Auditor and your organization in On Demand Audit is configured in Change Auditor. Once the connection is made, Change Auditor will begin to send events.

Customer data storage

On Demand Audit optionally allows one or more on premises installations of Change Auditor to be integrated into an On Demand Audit organization. An On Demand Audit organization must be selected for each connected Change Auditor installation. The selected On Demand organization determines the storage location of all customer data, and the On Demand Audit Azure region to which Change Auditor will transmit on premises Change Auditor event data. In the same manner as other data is handled, On Demand Audit ensures that on premises data remains within the same Azure data center regions outlined above.

Customers must select an organization in the correct region for their data residency requirements depending on their individual requirements and configuration for each installation of Change Auditor. All on premises data from Change Auditor is transmitted and retained in the selected On Demand organization and region. Depending on the configuration and global deployment of Change Auditor, customers can configure On Demand so that the On Demand organization will store data from multiple on premises global locations in a single On Demand organization region. In a similar manner, the customer could configure On Demand Audit to transmit data from on premises Change installations across a regional geographic boundary.

Registering a Change Auditor Installation

Change Auditor installations are configured through the Change Auditor client. Once an installation is registered, Change Auditor will begin sending event data.

NOTE: Once a configuration is in place, all coordinators which belong to the Change Auditor Installation will be registered with On Demand Audit.

NOTE: To create the configuration, you must use the account that created the On Demand subscription or an account that has been delegated the appropriate permissions from your On Demand administrator.

  • If you do not own the On Demand subscription, you need to contact your On Demand administrator for access.
  • If you are the On Demand administrator, you can delegate the required permissions by adding the required accounts to the Auditing Administrator role through the On Demand Access page. See Adding a user to an organization for details.

NOTE: Required URL access

 

To create a configuration with On Demand Audit in US region, Change Auditor clients and coordinators must be able to access:

To create a configuration with On Demand Audit in Europe region, Change Auditor clients and coordinators must be able to access:

To create a configuration with On Demand Audit in the Canada region, Change Auditor clients and coordinators must be able to access:

To create a configuration with On Demand Audit in the UK region, Change Auditor clients and coordinators must be able to access:

To create a configuration with On Demand Audit in the Australia region, Change Auditor clients and coordinators must be able to access:

To send events to On Demand Audit in US region, Change Auditor coordinators must be able to access:

To send events to On Demand Audit in Europe region, Change Auditor coordinators must be able to access:

To send events to On Demand Audit in the Canada region, Change Auditor coordinators must be able to access

To send events to On Demand Audit in the UK region, Change Auditor coordinators must be able to access

To send events to On Demand Audit in the Australia region, Change Auditor coordinators must be able to access

To create a configuration

  1. From the Change Auditor client, select View | Administration.
  2. Select Configuration | On Demand Audit.
  3. Select Sign in and Configure to create the connection.
  4. Enter your Quest account credentials to sign in to On Demand Audit.
  5. Choose the required organization if prompted and click Select Organization.
  6. By default, the current installation name is used for the configuration name. If required, you can enter a different name for the configuration. This is the configuration name used in On Demand Audit; it does not change the Change Auditor installation name.
  7. Click Finish.

Pausing Change Auditor event forwarding

To pause the sending of Change Auditor events

  1. Navigate to the Auditing module.
  2. From the Configuration tab, select the ellipsis (...) on the Change Auditor tile and choose Pause.
  3. Click OK to confirm.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating