Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Office 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Active Directory Federation Services built in searches

On Demand Audit provides the following Active Directory Federation Services built in searches:

  • AD FS All claims provider trust events in the past 30 days

  • AD FS All relying party trust events in the past 30 days
  • AD FS All endpoint events in the past 30 days

  • AD FS All authentication method changes in the past 30 days

  • AD FS All server farm events in the past 30 days

  • AD FS Authentication method registered and unregistered events in the past 30 days

Active Directory Database built in searches

On Demand Audit provides the following Active Directory Database built in search:

  • AD DB all events in the past 7 days

Anomaly Activity built in searches

On Demand Audit provides the following anomaly activity built in searches:

  • All anomaly detected events in the past 30 days
  • Unusual increase in AD account lockout events in the past 30 days
  • Unusual increase in failed AD change events in the past 30 days
  • Unusual increase in failed AD Federation Services sign-ins in the past 30 days
  • Unusual increase in failed file access attempts in the past 30 days
  • Unusual increase in file deletes in the past 30 days
  • Unusual increase in file renames in the past 30 days
  • Unusual increase in files shared from OneDrive and SharePoint events in the past 30 days
  • Unusual increase in Office 365 activity by guest user events in the past 30 days
  • Unusual increase in Office 365 activity by anonymous user events in the past 30
  • Unusual increase in permission changes to AD object events in the past 30 days
  • Unusual increase in share access permission changes in the past 30 days
  • Unusual increase in successful AD Federation Services sign-ins in the past 30 days
  • Unusual increase in successful tenant sign-in events in the past 30 days
  • Unusual increase in tenant sign-in failure events in the past 30 days
  • Unusual increase in Teams guest participant events in the past 30 days
  • Unusual increase in successful on-premises sign-ins in the past 30 days
  • Unusual increase in failed on-premises sign-ins in the past 30 days

Audit Health built in searches

On Demand Audit provides the following Audit Health built in searches:

  • Change Auditor Installation activity changes in the past 30 days

  • Change Auditor Installation connectivity events in the past 30 days

  • Change Auditor Installation setting changes in the past 30 days

  • Change Auditor Installation upgrade events in the past 30 days

  • Service activity changes in the past 30 days

  • Service auditing enabled or disabled events in the past 30 days

  • SpecterOps BloodHound Enterprise connectivity events in the past 30 days

  • SpecterOps BloodHound Enterprise configuration changes in the past 30 days

  • Subscription expiring events in the past 90 days

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating