Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration Working with On Demand Audit Appendix A: Working with Filters Documentation Roadmap

Creating or filtering a search based on event details

You can quickly create a new search or refine an existing search based on values within the event details pane. This allows you to delve deeper into the details found from existing searches.

To create a search based on an event detail

  1. Select the Searches tab.
  2. Locate the required search in the list of categories.
  3. To run the search, simply click it or highlight it and click the run (arrow) icon.
  4. Select the required value, click the More options icon (...), and select New Search on this value.
  5. You can select to run the search, save it, or further filter it as required.

To filter a search based on an event detail

  1. Select the Searches tab.
  2. Locate the required search in the list of categories.
  3. To run the search, simply click it or highlight it and click the run (arrow) icon.
  4. Select the required value, click the More options icon (...), and select Add filter on this value.
  5. You can select to run the search, save it, or further filter it as required.

Customizing the columns displayed in a search

When you create a search, a preview displays to help ensure the search criteria meet your needs. You can customize the columns that display in the generated report and easily rearrange the column display order through drag and drop.

The following columns are included by default:

  • Time Detected
  • User (Actor)
  • Activity
  • Target
  • Origin IP
  • Service
  • Status (All Event searches and Sign-in searches only)
  • Tenant Name

To rearrange, add, and remove the columns displayed in the search

  1. As you create a search, click Edit Columns.
  2. Drag and drop the columns to change the order.
  3. To remove a column, click the X next to the appropriate column.
  4. To add a column, click Add Column.
  5. Save your changes.

For a list of available columns, see Appendix A: Working with search columns and filters

Visualizing searches

You can visualize saved searches to provide insights on the Office 365 events taking place in your organization and your Azure Active Directory.

The Overview tab displays:

  • Number of events (Event count)
  • Total number of unique users
  • Activity (A drop-down is available so that you can select the activity that you want to see.)
  • User Name (A drop-down is available so that you can select the users that you want to see.)
  • Top 10 active users
  • Activity heat map that visually breaks down the activity in a display that shows which events are more prevalent.

The Sign-ins tab displays:

  • Sign-ins by location on a map
  • Sign-ins by unique application and users or you can filter for specific applications and users
  • Successful and failed sign-ins
  • Sign in activity timeline

To see a visual representation of a search

  1. Select the Searches tab, choose a search, and click the visualization (chart) icon. You can also click the run (arrow) icon, then click the Visualize button. (Note: This is only available for saved searches.)
By hovering over the right corner of any section, you are provided with more options for sharing and customizing the data that is presented.
  • Select Export data to .export the results to a .csv or .csv zip file. See Exporting a search for details.
  • Show the underlying data
  • Sort the data
  • Use the available slider to to fine grain the dates included in the view.

Viewing search results and event details

When selecting an event that has been returned from a search, you can view all the details of the activity that triggered the event. If the search contains string filters, the string is highlighted in the search results and event details to allow you to quickly scan for matches.

A summary of important event details is displayed at the top of the event details that includes:

  • Activity Name
  • Service
  • Time Detected
  • User display name
  • Target
  • Location
  • Status (Successful/Failed)

For Azure Active Directory, Active Directory, and Group Policy events, the summary also displays the following:

  • Property After Value
  • Property Before Value
  • Property Name

To view event details

  1. Select the Searches tab.
  2. Locate the required search in the list of categories.
  3. Highlight the search and click the arrow icon to run it.
  4. Click an event to open a new window that contains all the event details.
  5. Click the Event Link to create a dedicated page for the event details within On Demand Audit. Once created you can view the information, copy the URL to share with others, or bookmark it for future use.
Related Documents