Quest® Quest On Demand Audit
Quest® Quest On Demand Audit
Last Updated January 2021
These release notes provide information about the Quest On Demand Audit release.
About this module
On Demand Audit provides extensive auditing of critical activities and detailed reports about vital changes taking place in Microsoft Office 365 Exchange Online, SharePoint Online, and OneDrive for Business. Continually being in-the-know helps you to prove compliance, drive security, and improve up time while proactively auditing changes to configurations and permissions.
Integrating with Change Auditor, provides a single view of activity across hybrid Microsoft environments and turns on-premise events into rich visualizations to investigate incidents faster. Events sent to On Demand Audit include historical events gathered up to 30 days prior to upgrade to Change Auditor 7.0.0 (or higher).
On Demand Audit audits:
- When Exchange Online mailboxes are created, deleted, and accessed.
- Permission changes to see which users are granted access to a mailbox.
- Mailbox activity by non-owner such as messages sent, read, deleted, and folders deleted
- Mailbox activity by owner for sensitive and high value mailboxes.
- When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.
- When user and group attributes are changed.
- When users and groups are added to and removed from the directory.
- Successful and failed logins.
- Suspicious sign-in activity.
- Teams user and administrator activity.
Incident response management
Quest Operations and Quest Support have procedures in place to monitor the health of the system and ensure any degradation of the service is promptly identified and resolved. On Demand relies on Azure and AWS infrastructure and as such, is subject to the possible disruption of these services.You can view the following status pages:
New features in On Demand Audit:
- Addition of an information icon that allows you to see when shared searches, alerts, and alert plans were created, last saved, and by whom.
- Ability to create private and shared categories for searches.
- Ability to create alerts for both private and shared searches.
- Ability to create both private and shared alert plans.
- Updated and new access roles for private and shared searches and alert plans.
- All Private Searches category.
- Updated workflow for saving searches. By default, the new search are created in the category selected when clicking New Search.
- MailItemsAccessed events gathered when the Exchange Online - Mailbox Activity service is configured for auditing. The event and its details (Operation Count and the Folder Item found under Source Folders) provide an auditing trail to help understand which emails may have been compromised during a security breach. Note: A Microsoft 365 E5 license is required to audit this activity.
- Ability to export search results to a csv or csv.zip file.
- Can Export Search Results permission for Audit Administrators and Audit Operators.
- Ability to audit Teams user and administrator activity such as when teams (and associated settings, members, and applications) are created, updated, removed and when users sign in.
- New Teams searches:
Teams app events in the past 7 days
Teams bot events in the past 7 days
Teams channel events in the past 7 days
Teams client configuration changes in the past 30 days
Teams connector events in the past 7 days
Teams events in the past 7 days
Teams guest access configuration changes in the past 30 days
Teams guest access enabled or disabled in the past 30 days
Teams guest members added in the past 7 days
Teams member role changes in the past 7 days
Teams member changes in the past 7 days
Teams notification and feeds policy changes in the past 30 days
Teams organization setting changes in the past 30 days
Teams tab events in the past 7 days
Teams targeting policy changes in the past 30 days
Teams team created events in the past 30 days
Teams team deleted events in the past 30 days
Teams team setting changes in the past 7 days
Teams user sign-in events in the past 7 days
- Additional search columns and filters available for Teams auditing: Add On GUID, Add on Name, Add on Type, Cmdlet Name, Team GUID, Team Name, Team Property Name, Team Role
- Australia, Canada, and UK regions available to host your On Demand Audit data.
- Additional search columns and filters available for logon activity: Logon Activity all excessive Kerberos ticket lifetime events in the past 30 days, Logon Activity all NTLM authentication failures in the past 24 hours, Logon Activity all NTLM authentications in the past 24 hours, Logon Activity all NTLM version 1 logons in the past 7 days.
- Additonal logon activity searches;
- Logon Activity all excessive Kerberos ticket lifetime events in the past 30 days
- Logon Activity all NTLM authentication failures in the past 24 hours
- Logon Activity all NTLM authentications in the past 24 hours
- Logon Activity all NTLM version 1 logons in the past 7 days
- Ability to audit logon activity.
- Additional search columns and filters available for risk events: Activity Time, Detection Timing, Request Id, Risk Activity, Risk Detected Time, Risk State, Risk Type, Risk Correlation Id, Risk Detail, Risk Source, Token Issuer, Previous User Agent.
- Property After Value, Property Before Value, and Property Name available in the search details for Azure Active Directory, Active Directory, and Group Policy searches.
- Property After Value, Property Before Value, and Property Name filters available for Azure Active Directory, Active Directory, and Group Policy searches.
- Permission enforcement using additional Audit Operator role to help you manage your security and compliance auditing.
The following web browsers are supported with On Demand:
- Internet Explorer 11
- Microsoft Edge
- Google Chrome (latest version)
- Mozilla Firefox (latest version)