Monitoring Audit Health status
The Audit Health tile allows you to easily see the status of your auditing configuration, identify any issues, and make the required updates to ensure you are keeping informed of the vital and critical changes to your organization.
From here, you can grant required consent for the tenant, view subscription information, view the auditing configuration settings, view results in a search, and subscribe to the built-in notification templates.
|
NOTE: Specific permissions are required for the following actions:
|
|
NOTE:
- You have the option to hide items from the dashboard if they do not provide you any value, expose previously hidden items, and dismiss notifications as required.
- You have the option to dismiss the ability to subscribe to the available notification templates. Once it has been dismissed, it will no longer be displayed as an option in the Audit Health dashboard.
|
Possible issues that may be identified include:
- Tenant requires additional configuration
- Tenant has not been added for auditing
- Service subscription will expire soon
- Service is not enabled for event collection on the tenant
- Event collection has been disabled on the tenant
-
No Office 365 events have been received from the tenant in the last 24 hours
- No Azure AD events have been received from the tenant in the last 24 hours
- No Azure AD Sign-in events have been received from the tenant in the last 24 hours
- No Change Auditor events have been received in the last 24 hours
- Change Auditor installation has been paused
- Change Auditor installation was removed
- Change Auditor installation has not been connected in the last 24 hours
- Change Auditor upgrade is required
- Change Auditor upgrade is available
-
Configure SpecterOps BloodHound Enterprise integration
-
SpecterOps BloodHound Enterprise configuration was removed
-
SpecterOps BloodHound Enterprise connection failed
-
Subscribe to Tier Zero notification template
To subscribe to a notification template from the Audit Health tile in the dashboard:
- Select View Template for the notification template that you want to subscribe to.
- Edit the recipients as required, and click Save.
Identifying critical activity
The Critical Activity tile highlights security-related activity, including anomaly detection for unusual spikes in activity, that may indicate a threat to your organization and require further investigation.
Change Auditor / Logon Activity
|
-
Local logons to Tier Zero computers
-
NTLM version 1 logons
- Possible Golden Ticket Kerberos exploits
-
Potential kerberoasting or similar Kerberos attack detected
- Tier Zero user logons to computers that are not Tier Zero
- Unusual increase in AD account lockouts
-
Unusual increase in failed on-premises sign-ins
-
Unusual increase in successful on-premises sign-ins |
Change Auditor / Active Directory |
-
Administrative privilege elevation detected
- AD user ServicePrincipalName attribute changes detected
-
AD suspicious group ESX Admins created or member added
- Active Directory critical group membership changes
- Active Directory schema configuration changes
- Active Directory forest configuration changes
- Active Directory security changes
-
Domain level group policy linked changes detected
- Irregular AD replication activity detected
- Irregular domain controller registration detected (DCShadow)
-
Potential sIDHistory injection detected
-
Security changes to Tier Zero computer objects
-
Security changes to Tier Zero domain objects
-
Security changes to Tier Zero group objects
-
Security changes to Tier Zero group policy objects
-
Security changes to Tier Zero user objects
-
Tier Zero computer changes
-
Tier Zero domain and forest configuration changes
-
Tier Zero group changes
-
Tier Zero group policy object changes
-
Tier Zero user changes
-
Unusual increase in failed AD changes
-
Unusual increase in permission changes to AD objects |
Change Auditor / Active Directory Federation Services |
|
Change Auditor / File System |
-
AD Database (NTDS.dit) access attempt detected
-
AD Database (NTDS.dit) file modification attempt detected
-
All file changes with suspicious file extensions
-
Unusual increase in share access permission changes
-
Unusual increase in failed file access attempts
-
Unusual increase in file deletes
-
Unusual increase in file renames |
Change Auditor / Group Policy |
|
Azure Active Directory - Audit Logs |
-
Azure Tier Zero application changes
-
Azure Tier Zero group changes
-
Azure Tier Zero role changes
-
Azure Tier Zero service principal changes
-
Azure Tier Zero tenant level and directory activity
-
Azure Tier Zero user changes
- Azure Active Directory critical directory role changes
- Azure Active Directory tenant level configuration changes
- Azure Active Directory cloud-only users created
|
Azure Active Directory - Sign Ins |
-
Azure Tier Zero principal logons
-
Azure Tier Zero AD risk events
-
Unusual increase in tenant sign-in failures
- Unusual increase in successful tenant sign-ins
|
Exchange Online - Administrative Activity |
- OneDrive and SharePoint files shared with external users
- OneDrive and SharePoint anonymous links
- Office 365 activity from external users
|
Sharepoint Online or OneDrive For Business |
-
Unusual increase in files shared from OneDrive and SharePoint
-
Unusual increase in Office 365 activity by guest users
-
Unusual increase in Office 365 activity by anonymous users |
Microsoft Teams |
|
You can easily dive deeper into the activity by viewing the associated search. For details on the searches associated with the critical activity see Working with searches, Working with Azure Active Directory Searches and Using built in searches.
To view a full list of critical activity as well as visualizations to help understand the possible threat, see Working with critical activity.
Identifying the top active users
The Top Active Users tile displays the top five active users in the last 24 hours with each service represented by a different color bar. By default, data for all available services is displayed.
To view the exact number of events per service for a particular user, hover over a section of the bar. To dive deeper into the activity details, click the section of the bar that represents the service of interest.
|
NOTE Other than On Demand Audit activity, which will always be included, the activity that is gathered and displayed is based on the services that you have selected to audit.
See Configuring tenant auditing for details on selecting services to audit and Change Auditor Integration for details on accessing on premises events. |
Change Auditor |
- Active Directory
- Active Directory Federation Services (Change Auditor version 7.1.2 or later)
- Active Directory Database
-
Group Policy
- Logon Activity
|
OneDrive for Business |
|
SharePoint Online |
|
Micorosft Teams |
|
Azure Active Directory - Audit Logs
Azure Active Directory - Sign-ins |
|
Exchange Online - Administrative Activity
Exchange Online - Mailbox Activity |
|
To view the top active users for a specific service
- Choose the required service from the dropdown list, and click Select.
- To exclude users from being included in the calculations and display, select the Edit Excluded Users and add and remove users as required.
- Click Close to save your selection.
Working with My Favorite Searches
The My Favorite Searches section of the dashboard allows you to pin the top five searches that you have defined as having a high value in your organization. From here you can see the number of events, select to view the search details, and manage which searches to displayed in this view.
By default, the following searches are listed:
- Important changes for critical Azure Active Directory directory roles in the past 7 days
- Azure Active Directory role member changes in the past 7 days
- Cloud-only Azure Active Directory users created in the past 180 days
- Azure Active Directory tenant level configuration changes in the last 180 days
- Office 365 events from EXT Users in the past 7 days
To manage the searches displayed on the dashboard:
- From My Favorite Searches, click Edit Searches.
- Add and remove searches as required by selecting the category and associated search. You can also drag and drop to specify the search order on the dashboard based on priority.
- Once you have made all your selections, click OK.