To begin sending Change Auditor events for a paused installation
- Navigate to the Auditing module.
- From the Configuration tab, select the ellipsis (...) on the Change Auditor tile and choose Resume Sending Events.
- Click OK to confirm.
Introducing On Demand Audit
Configuring On Demand Audit
Working with tenants
Granting required consent
Configuring tenant auditing
Historical event collection
Adding a user to an organization
On Demand Audit Access Control roles
Change Auditor Integration
Customer data storage
Registering a Change Auditor Installation
Pausing Change Auditor event forwarding
Resuming Change Auditor event forwarding
Removing a Change Auditor Installation
Reviewing the status of your Change Auditor installation
SpecterOps BloodHound Enterprise Integration
Working with On Demand Audit
Using the dashboard
Appendix A: Working with Filters
Documentation Roadmap
Third-party contributions
Working with Activity Indicators
Monitoring Audit Health status
Identifying critical activity
Identifying the top active users
Working with My Favorite Searches
Monitoring sign-in trends
Searching for specific event data (Quick Search)
Working with critical activity
Working with searches
Working with private and shared searches
Running a search
Using built in searches
Working with alerts and alert plans
Auditing Azure Active Directory
Active Directory Built in searches
Active Directory Federation Services built in searches
Active Directory Database built in searches
Anomaly Activity built in searches
Audit Health built in searches
Azure Active Directory built in searches
Best Practices built in searches
BloodHound Tier Zero assets built in searches
File System built in searches
Group Policy built in searches
Logon Activity built in searches
Office 365 built in searches
On Demand Audit built in searches
Teams built in searches
Security Guardian built in searches
Creating a custom search
Copying an existing search
Exporting a search
Creating a search from an existing search
Creating or filtering a search based on event details
Customizing the search display
Viewing search results and event details
Copying event details
Modifying a search
Deleting a search
Working with categories
Event collection and Azure Active Directory subscription
Working with Azure Active Directory Searches
Working with Azure Active Directory events with multiple targets
Auditing risk events
Auditing Office 365
Resuming Change Auditor event forwarding
Removing a Change Auditor Installation
When you remove a Change Auditor installation that is registered with On Demand Audit (or delete the associated organization), Change Auditor will stop sending events.
To remove a Change Auditor installation
- Navigate to the Audi module.
- From the Configuration tab, select the ellipsis (...) on the Change Auditor tile and choose Remove Installation.
- Click OK to confirm.
Reviewing the status of your Change Auditor installation
From the Configuration tab, you can quickly see the status of your Change Auditor installation.
The information includes:
- Installation status - whether it is connected, disconnected, or paused.
- The time of the last update.
- The number of connected coordinators.
- The installed version of Change Auditor.
|
|
NOTE: If the Change Auditor installation is disconnected, there may be an issue with the Change Auditor coordinators. The following steps may help reconnect the installation:
If the installation is still disconnected, contact Customer Support. |
SpecterOps BloodHound Enterprise Integration
SpecterOps BloodHound Enterprise Integration
Attack path management is a critical component of defending Active Directory and Microsoft 365 environments from attacks. SpecterOps BloodHound Enterprise simplifies this process by prioritizing and quantifying attack path choke points, giving you the information you need to identify and eliminate the paths with the most exposure and risk.
Integrating with SpecterOps BloodHound Enterprise helps you reduce the risk of attacks by enabling you to easily identify, prioritize and eliminate the most vital avenues that attackers can exploit.
Specifically administrators can monitor Tier Zero assets for their Active Directory and Azure environment. Tier Zero is the highest level of the Active Directory tiered administrative model and includes administrative accounts, groups, domain controllers, and domains that have direct or indirect administrative control of the Active Directory forest.
On Demand Audit provides built-in searches that allow administrators to create alert-enabled search for historical changes to the Tier Zero objects to ensure real-time monitoring of critical assets.