Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Azure Active Directory built in searches

On Demand Audit provides the following Azure Active Directory built-in searches that are based on the most common and complex requests for information:

  • Azure AD application events in the past 7 days
  • Azure AD directory events in the past 7 days
  • Azure AD events in the past 7 days
  • Azure AD failed sign-in events in the past 7 days
  • Azure AD group events in the past 7 days
  • Azure AD group member changes in the past 7 days
  • Azure AD group owner changes in the past 7 days
  • Azure AD risk events in the past 7 days
  • Azure AD role events in the past 7 days
  • Azure AD role member changes in the past 7 days
  • Azure AD self-service password management events in the past 7 days
  • Azure AD sign-in events in the past 7 days
  • Azure AD successful sign-in events in the past 7 days
  • Azure AD tenant level configuration changes in the last 180 days
  • Azure AD user created events in the past 7 days
  • Azure AD user deleted events in the past 7 days
  • Azure AD user events in the past 7 days
  • Important changes for critical Azure AD directory roles in the past 7 days
  • Objects added/removed from Azure AD groups in the past 7 days
  • Objects added/removed from Azure AD roles in the past 7 days
  • Users added/removed as owner of Azure AD groups in the past 7 days

 

Best Practices built in searches

On Demand Audit provides the following Best Practices built in searches:

  • Azure AD successful application consent events in the past 30 days
  • Sharing operations on important file types within past 7 days
  • Teams guest access enabled or disabled in the past 30 days

BloodHound Tier Zero assets built in searches

On Demand Audit provides the following BloodHound Tier Zero assets built in searches:

  • All Azure Tier Zero AD risk events in the past 60 days

  • All Azure Tier Zero application changes in the past 60 days

  • All Azure Tier Zero group changes in the past 60 days

  • All Azure Tier Zero principal logons in the past 60 days

  • All Azure Tier Zero role changes in the past 60 days

  • All Azure Tier Zero service principal changes in the past 60 days

  • All Azure Tier Zero tenant level and directory activity in the past 60 days

  • All Azure Tier Zero user changes in the past 60 days

  • All Tier Zero computer changes in the past 60 days

  • All Tier Zero domain and forest configuration changes in the past 60 days

  • All Tier Zero group changes in the past 60 days

  • All Tier Zero group policy item and object changes in the past 60 days

  • All Tier Zero user changes in the past 60 days

  • Local logons to Tier Zero computers in the past 60 days

  • Security changes to Tier Zero domain objects in the past 60 days

  • Security changes to Tier Zero group objects in the past 60 days

  • Security changes to Tier Zero group policy objects in the past 60 days

  • Security changes to Tier Zero computer objects in the past 60 days

  • Security changes to Tier Zero user objects in the past 60 days

  • Tier Zero user logons to computers that are not Tier Zero in the past 60 days

     

File System built in searches

On Demand Audit provides the following File System built in searches:

  • FS all events in the past 7 days
  • FS all permission and ownership changes to SYSVOL on domain controllers in the past 30 days
  • FS all local share changes in the past 30 days
  • FS all file and folder creates, deletes, and moves in the past 30 days
  • FS all file and folder attribute changes, modifications, and renames in the past 30 days
  • FS all file and folder auditing changes in the past 30 days
  • FS all file and folder ownership changes in the past 30 days
  • FS all file and folder permission changes in the past 30 days
  • FS all file and folder failed access attempts in the past 30 days
  • FS all file changes with suspicious file extensions in the past 30 days
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating