Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Azure Active Directory Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Resuming Change Auditor event forwarding

To begin sending Change Auditor events for a paused installation

  1. Navigate to the Auditing module.
  2. From the Configuration tab, select the ellipsis (...) on the Change Auditor tile and choose Resume Sending Events.
  3. Click OK to confirm.

Removing a Change Auditor Installation

When you remove a Change Auditor installation that is registered with On Demand Audit (or delete the associated organization), Change Auditor will stop sending events.

To remove a Change Auditor installation

  1. Navigate to the Audi module.
  2. From the Configuration tab, select the ellipsis (...) on the Change Auditor tile and choose Remove Installation.
  3. Click OK to confirm.

Reviewing the status of your Change Auditor installation

From the Configuration tab, you can quickly see the status of your Change Auditor installation.

The information includes:

  • Installation status - whether it is connected, disconnected, or paused.
  • The time of the last update.
  • The number of connected coordinators.
  • The installed version of Change Auditor.

NOTE: If the Change Auditor installation is disconnected, there may be an issue with the Change Auditor coordinators. The following steps may help reconnect the installation:

  • Restart the coordinator to attempt to reconnect to On Demand Audit and check the coordinator logs for error messages. See Manage Change Auditor coordinators section in the Change Auditor User Guide for information on restarting the coordinator and accessing the logs.

If the installation is still disconnected, contact Customer Support.

SpecterOps BloodHound Enterprise Integration

Attack path management is a critical component of defending Active Directory and Microsoft 365 environments from attacks. SpecterOps BloodHound Enterprise simplifies this process by prioritizing and quantifying attack path choke points, giving you the information you need to identify and eliminate the paths with the most exposure and risk.

Integrating with SpecterOps BloodHound Enterprise helps you reduce the risk of attacks by enabling you to easily identify, prioritize and eliminate the most vital avenues that attackers can exploit.

Specifically administrators can monitor Tier Zero assets for their Active Directory and Azure environment. Tier Zero is the highest level of the Active Directory tiered administrative model and includes administrative accounts, groups, domain controllers, and domains that have direct or indirect administrative control of the Active Directory forest.

On Demand Audit provides built-in searches that allow administrators to create alert-enabled search for historical changes to the Tier Zero objects to ensure real-time monitoring of critical assets.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating