Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Monitoring Audit Health status

The Audit Health tile allows you to easily see the status of your auditing configuration, identify any issues, and make the required updates to ensure you are keeping informed of the vital and critical changes to your organization.

From here, you can grant required consent for the tenant, view subscription information, view the auditing configuration settings, view results in a search, and subscribe to the built-in notification templates.

 

NOTE: Specific permissions are required for the following actions:

  • Can Add and Remove Tenants is required to grant consent.
  • Can Run Private Searches and Can Run Shared Searches are required to view associated results.
  • Can Manage Azure Active Directory Tenant Configurations for Audit is required to view issues identified for tenants.
  • Can Manage Change Auditor Installation Configuration is required to view issues identified for Change Auditor.
  • Can Manage Shared Alerts and Shared Notification Templates and Can Run Shared Searches is required to subscribe to the notification templates.

NOTE:

  • You have the option to hide items from the dashboard if they do not provide you any value, expose previously hidden items, and dismiss notifications as required.
  • You have the option to dismiss the ability to subscribe to the available notification templates. Once it has been dismissed, it will no longer be displayed as an option in the Audit Health dashboard.

 

Possible issues that may be identified include:

  • Tenant requires additional configuration
  • Tenant has not been added for auditing
  • Service subscription will expire soon
  • Service is not enabled for event collection on the tenant
  • Event collection has been disabled on the tenant
  • No Office 365 events have been received from the tenant in the last 24 hours

  • No Azure AD events have been received from the tenant in the last 24 hours
  • No Azure AD Sign-in events have been received from the tenant in the last 24 hours
  • No Change Auditor events have been received in the last 24 hours
  • Change Auditor installation has been paused
  • Change Auditor installation was removed
  • Change Auditor installation has not been connected in the last 24 hours
  • Change Auditor upgrade is required
  • Change Auditor upgrade is available
  • Configure SpecterOps BloodHound Enterprise integration

  • SpecterOps BloodHound Enterprise configuration was removed

  • SpecterOps BloodHound Enterprise connection failed

  • Subscribe to Tier Zero notification template

To subscribe to a notification template from the Audit Health tile in the dashboard:

  1. Select View Template for the notification template that you want to subscribe to.
  2. Edit the recipients as required, and click Save.

Identifying critical activity

The Critical Activity tile highlights security-related activity, including anomaly detection for unusual spikes in activity, that may indicate a threat to your organization and require further investigation.

 

NOTE: Critical activity events are gathered and displayed based on the services that you have selected to audit.

See Configuring tenant auditing for details on selecting services to audit and Change Auditor Integration for details on accessing on premises events.

 

Audited Service Critical activity

Change Auditor / Logon Activity

  • Local logons to Tier Zero computers

  • NTLM version 1 logons 

  • Possible Golden Ticket Kerberos exploits
  • Potential kerberoasting or similar Kerberos attack detected

  • Tier Zero user logons to computers that are not Tier Zero
  • Unusual increase in AD account lockouts
  • Unusual increase in failed on-premises sign-ins

  • Unusual increase in successful on-premises sign-ins

Change Auditor / Active Directory
  • Administrative privilege elevation detected

  • AD user ServicePrincipalName attribute changes detected
  • AD suspicious group ESX Admins created or member added

  • Active Directory critical group membership changes
  • Active Directory schema configuration changes
  • Active Directory forest configuration changes
  • Active Directory security changes
  • Domain level group policy linked changes detected

  • Irregular AD replication activity detected
  • Irregular domain controller registration detected (DCShadow)
  • Potential sIDHistory injection detected

  • Security changes to Tier Zero computer objects

  • Security changes to Tier Zero domain objects

  • Security changes to Tier Zero group objects

  • Security changes to Tier Zero group policy objects

  • Security changes to Tier Zero user objects

  • Tier Zero computer changes

  • Tier Zero domain and forest configuration changes

  • Tier Zero group changes

  • Tier Zero group policy object changes

  • Tier Zero user changes

  • Unusual increase in failed AD changes

  • Unusual increase in permission changes to AD objects

Change Auditor / Active Directory Federation Services
  • Unusual increase in successful AD Federation Services sign-ins

  • Unusual increase in failed AD Federation Services sign-ins

Change Auditor / File System
  • AD Database (NTDS.dit) access attempt detected

  • AD Database (NTDS.dit) file modification attempt detected

  • All file changes with suspicious file extensions

  • Unusual increase in share access permission changes

  • Unusual increase in failed file access attempts

  • Unusual increase in file deletes

  • Unusual increase in file renames

Change Auditor / Group Policy
  • Group Policy changes

Azure Active Directory - Audit Logs

  • Azure Tier Zero application changes

  • Azure Tier Zero group changes

  • Azure Tier Zero role changes

  • Azure Tier Zero service principal changes

  • Azure Tier Zero tenant level and directory activity

  • Azure Tier Zero user changes

  • Azure Active Directory critical directory role changes
  • Azure Active Directory tenant level configuration changes
  • Azure Active Directory cloud-only users created
Azure Active Directory - Sign Ins
  • Azure Tier Zero principal logons

  • Azure Tier Zero AD risk events

  • Unusual increase in tenant sign-in failures

  • Unusual increase in successful tenant sign-ins
Exchange Online - Administrative Activity
  • OneDrive and SharePoint files shared with external users
  • OneDrive and SharePoint anonymous links
  • Office 365 activity from external users
Sharepoint Online or OneDrive For Business
  • Unusual increase in files shared from OneDrive and SharePoint

  • Unusual increase in Office 365 activity by guest users

  • Unusual increase in Office 365 activity by anonymous users

Microsoft Teams
  • Unusual increase in Teams guest participants

You can easily dive deeper into the activity by viewing the associated search. For details on the searches associated with the critical activity see Working with searches, Working with Azure Active Directory Searches and Using built in searches.

To view a full list of critical activity as well as visualizations to help understand the possible threat, see Working with critical activity.

 

Identifying the top active users

The Top Active Users tile displays the top five active users in the last 24 hours with each service represented by a different color bar. By default, data for all available services is displayed.

To view the exact number of events per service for a particular user, hover over a section of the bar. To dive deeper into the activity details, click the section of the bar that represents the service of interest.

 

NOTE Other than On Demand Audit activity, which will always be included, the activity that is gathered and displayed is based on the services that you have selected to audit.

See Configuring tenant auditing for details on selecting services to audit and Change Auditor Integration for details on accessing on premises events.

 

Audited Service Activity

Change Auditor

  • Active Directory
  • Active Directory Federation Services (Change Auditor version 7.1.2 or later)
  • Active Directory Database
  • Group Policy

  • Logon Activity

OneDrive for Business

  • OneDrive

SharePoint Online

  • SharePoint
Micorosft Teams
  • Teams

Azure Active Directory - Audit Logs

Azure Active Directory - Sign-ins

  • Azure Active Directory

 

Exchange Online - Administrative Activity

Exchange Online - Mailbox Activity

  • Exchange

To view the top active users for a specific service

  1. Choose the required service from the dropdown list, and click Select.
  2. To exclude users from being included in the calculations and display, select the Edit Excluded Users and add and remove users as required.
  3. Click Close to save your selection.

 

Working with My Favorite Searches

The My Favorite Searches section of the dashboard allows you to pin the top five searches that you have defined as having a high value in your organization. From here you can see the number of events, select to view the search details, and manage which searches to displayed in this view.

By default, the following searches are listed:

  • Important changes for critical Azure Active Directory directory roles in the past 7 days
  • Azure Active Directory  role member changes in the past 7 days
  • Cloud-only Azure Active Directory users created in the past 180 days
  • Azure Active Directory tenant level configuration changes in the last 180 days
  • Office 365 events from EXT Users in the past 7 days

To manage the searches displayed on the dashboard:

  1. From My Favorite Searches, click Edit Searches.
  2. Add and remove searches as required by selecting the category and associated search. You can also drag and drop to specify the search order on the dashboard based on priority.
  3. Once you have made all your selections, click OK.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating