Chat now with support
Chat with Support

Security Guardian Current - User Guide

Introducing Quest Security Guardian Audit
Configuring Audit Working with Audit
Using the Audit Dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Findings Tier Zero Objects Shields Up Protection (Prevention) Privileged Objects Managing Workload Identities Assessments Hybrid Audit Security Settings Appendix - Available Audit Search Columns and Filters Appendix - Security Guardian Indicator Details Appendix - Data Collection Details Documentation Roadmap

Working with Audit

Using the Audit Dashboard

The Audit Dashboard displays a visual summary of the most important metrics of the Microsoft 365 and Microsoft Entra activity in your organization. The information is updated in real time, allowing you to quickly gain valuable insights into the activity taking place in your organization. You can also refresh the data by selecting the refresh icon in the top right of the dashboard.

The dashboard displays:

Working with Activity Indicators

The indicators at the top of the dashboard allow you to quickly see if there has been a change in risky activity over a specific period of time. A red sidebar indicates an increase in activity; while a green sidebar indicates a reduction.

You can then easily delve further into the details, by clicking the indicator to view an associated search.

 

NOTE: The indicators are updated each time that you open the dashboard or refresh the view.

 

The following indicators are available:

  • Cloud-only Microsoft Entra users created in the last 7 days

  • AD account lockouts in the last 24 hours

    If you do not have a configured Change Auditor integration, the Microsoft Entra critical directory role changes in the last 7 days indicator displays instead.

  • Microsoft Entra risk events in the last 7 days

    This indicator displays when you have an Microsoft Entra ID Premium (P2) license.

    If you do not have the required license to audit risky events and Change Auditor integration is configured, the On-premises and Microsoft Entra failed sign-ins in the last 24 hours indicator displays instead.

    If you do not have the required license to audit risky events and have not configured a Change Auditor integration, the Microsoft Entra failed sign-ins in the last 24 hours indicator displays.

  • Microsoft 365 external user actions in the last 24 hours

 

 

 

Monitoring Audit Health status

The Audit Health tile allows you to easily see the status of your auditing configuration, identify any issues, and make the required updates to ensure you are keeping informed of the vital and critical changes to your organization.

From here, you can grant required consent for the tenant, view subscription information, view the auditing configuration settings, view results in a search, and subscribe to the built-in notification templates.

 

NOTE: Specific permissions are required for the following actions:

  • Can Add and Remove Tenants is required to grant consent.
  • Can Run Private Searches and Can Run Shared Searches are required to view associated results.
  • Can Manage Microsoft Entra Tenant Configurations for Audit is required to view issues identified for tenants.
  • Can Manage Change Auditor Installation Configuration is required to view issues identified for Change Auditor.

  • Can Manage Shared Alerts and Shared Notification Templates and Can Run Shared Searches is required to subscribe to the notification templates.

NOTE:

  • You have the option to hide items from the dashboard if they do not provide you any value, expose previously hidden items, and dismiss notifications as required.
  • You have the option to dismiss the ability to subscribe to the available notification templates. Once it has been dismissed, it will no longer be displayed as an option in the Audit Health dashboard.

 

Possible issues that may be identified include:

  • Tenant requires additional configuration
  • Tenant has not been added for auditing
  • Service subscription will expire soon
  • Service is not enabled for event collection on the tenant
  • Event collection has been disabled on the tenant

  • No Microsoft 365 events have been received from the tenant in the last 24 hours

  • No Microsoft Entra events have been received from the tenant in the last 24 hours
  • No Microsoft Entra Sign-in events have been received from the tenant in the last 24 hours
  • No Change Auditor events have been received in the last 24 hours
  • Change Auditor installation has been paused
  • Change Auditor installation was removed
  • Change Auditor installation has not been connected in the last 24 hours
  • Change Auditor upgrade is required
  • Change Auditor upgrade is available

  • Configure SpecterOps BloodHound Enterprise integration

  • SpecterOps BloodHound Enterprise configuration was removed

  • SpecterOps BloodHound Enterprise connection failed

  • Subscribe to Tier Zero notification template

To subscribe to a notification template from the Audit Health tile in the dashboard:

  1. Select View Template for the notification template that you want to subscribe to.
  2. Edit the recipients as required, and click Save.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating