Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Configure a SpecterOps BloodHound Integration

To pair SpecterOps BloodHound Enterprise with On Demand Audit to help provide a comprehensive risk assessment and threat monitoring solution, you need to add a SpecterOps BloodHound configuration.

NOTE:

  • To manage a SpecterOps BloodHound Enterprise configuration, you must have the Can Manage SpecterOps BloodHound Configuration permission.

  • Once the configuration has been added, you can select the three vertical dots in the upper right-corner to refresh the configuration immediately, to edit the notification template, or to read more about the benefits of integrating with SpecterOps BloodHound Enterprise.

  • The configuration connection message details whether the connection the SpecterOps has been successful, and the status of the configuration.

To add a configuration:

  1. From the Configuration tab, select Add BloodHound Enterprise or click the + icon.
  2. Enter the SpecterOps BloodHound URL, the Permanent Authorization Token (PAT) Token ID, and Key pair.

  3. Click Validate to validate the URL format (https://yourdomain.bloodhoundenterprise.io.), the Permanent Authorization Token (PAT) Token ID, and the Key pair.

  4. Click Save.

    Once the configuration has been added, you can select to edit the Tier Zero notification template to configure who will be notified when an alert is triggered.

To edit a configuration:

  1. From the Configuration tab, select the BloodHound Enterprise card, and choose Edit Configuration.
  2. Edit the SpecterOps BloodHound URL, Permanent Authorization Token (PAT) Token ID, and Key pair as required.

  3. Click Validate to validate the URL format (https://yourdomain.bloodhoundenterprise.io.), the Permanent Authorization Token (PAT) Token ID, and the Key pair.

  4. Click Save.

To remove a configuration:

IMPORTANT: When you remove a configuration, SpecterOps BloodHound Enterprise information will no longer be added to events in On Demand Audit.

  1. From the Configuration tab, select the BloodHound Enterprise card, and choose REMOVE.

  2. Click YES to remove the configuration.

 

Working with On Demand Audit

Using the dashboard

When you open On Demand Audit, the dashboard displays a visual summary of the most important metrics of the Office 365 and Azure Active Directory activity in your organization. The information is updated in real time, allowing you to quickly gain valuable insights into the activity taking place in your organization. You can also refresh the data by selecting the refresh icon in the top right of the dashboard.

The dashboard displays:

Working with Activity Indicators

The indicators at the top of the dashboard allow you to quickly see if there has been a change in risky activity over a specific period of time. A red sidebar indicates an increase in activity; while a green sidebar indicates a reduction.

You can then easily delve further into the details, by clicking the indicator to view an associated search.

 

NOTE: The indicators are updated each time that you open the dashboard or refresh the view.

 

The following indicators are available:

  • Cloud-only Azure Active Directory users created in the last 7 days

  • AD account lockouts in the last 24 hours

    If you do not have a configured Change Auditor integration, the Azure Active Directory critical directory role changes in the last 7 days indicator displays instead.

  • Azure Active Directory risk events in the last 7 days

    This indicator displays when you have an Azure Active Directory Premium (P2) license.

    If you do not have the required license to audit risky events and Change Auditor integration is configured, the On-premises and Azure Active Directory failed sign-ins in the last 24 hours indicator displays instead.

    If you do not have the required license to audit risky events and have not configured a Change Auditor integration, the Azure Active Directory failed sign-ins in the last 24 hours indicator displays.

  • Office 365 external user actions in the last 24 hours

 

 

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating