Chat now with support
Chat with Support

NOTICE! We are upgrading our support telephone services, implementing Genesys, starting the week of May 19, 2025

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Microsoft Entra built in searches

On Demand Audit provides the following Microsoft Entra built-in searches that are based on the most common and complex requests for information:

  • Microsoft Entra application events in the past 7 days
  • Microsoft Entra directory events in the past 7 days
  • Microsoft Entra events in the past 7 days
  • Microsoft Entra failed sign-in events in the past 7 days
  • Microsoft Entra group events in the past 7 days
  • Microsoft Entra group member changes in the past 7 days
  • Microsoft Entra group owner changes in the past 7 days
  • Microsoft Entra risk events in the past 7 days
  • Microsoft Entra role events in the past 7 days
  • Microsoft Entra role member changes in the past 7 days
  • Microsoft Entra self-service password management events in the past 7 days
  • Microsoft Entra sign-in events in the past 7 days
  • Microsoft Entra successful sign-in events in the past 7 days
  • Microsoft Entra tenant level configuration changes in the last 180 days
  • Microsoft Entra user created events in the past 7 days
  • Microsoft Entra user deleted events in the past 7 days
  • Microsoft Entra user events in the past 7 days
  • Important changes for critical Microsoft Entra directory roles in the past 7 days
  • Objects added/removed from Microsoft Entra groups in the past 7 days
  • Objects added/removed from Microsoft Entra roles in the past 7 days
  • Users added/removed as owner of Microsoft Entra groups in the past 7 days

 

Best Practices built in searches

On Demand Audit provides the following Best Practices built in searches:

  • Microsoft Entra successful application consent events in the past 30 days
  • Sharing operations on important file types within past 7 days
  • Teams guest access enabled or disabled in the past 30 days

BloodHound Tier Zero assets built in searches

On Demand Audit provides the following BloodHound Tier Zero assets built in searches:

  • All Microsoft Entra Tier Zero AD risk events in the past 60 days

  • All Microsoft Entra Tier Zero application changes in the past 60 days

  • All Microsoft Entra Tier Zero group changes in the past 60 days

  • All Microsoft Entra Tier Zero principal logons in the past 60 days

  • All Microsoft Entra Tier Zero role changes in the past 60 days

  • All Microsoft Entra Tier Zero service principal changes in the past 60 days

  • All Microsoft Entra Tier Zero tenant level and directory activity in the past 60 days

  • All Microsoft Entra Tier Zero user changes in the past 60 days

  • All Tier Zero computer changes in the past 60 days

  • All Tier Zero domain and forest configuration changes in the past 60 days

  • All Tier Zero group changes in the past 60 days

  • All Tier Zero group policy item and object changes in the past 60 days

  • All Tier Zero user changes in the past 60 days

  • Local logons to Tier Zero computers in the past 60 days

  • Security changes to Tier Zero domain objects in the past 60 days

  • Security changes to Tier Zero group objects in the past 60 days

  • Security changes to Tier Zero group policy objects in the past 60 days

  • Security changes to Tier Zero computer objects in the past 60 days

  • Security changes to Tier Zero user objects in the past 60 days

  • Tier Zero user logons to computers that are not Tier Zero in the past 60 days

     

File System built in searches

On Demand Audit provides the following File System built in searches:

  • FS all events in the past 7 days
  • FS all permission and ownership changes to SYSVOL on domain controllers in the past 30 days
  • FS all local share changes in the past 30 days
  • FS all file and folder creates, deletes, and moves in the past 30 days
  • FS all file and folder attribute changes, modifications, and renames in the past 30 days
  • FS all file and folder auditing changes in the past 30 days
  • FS all file and folder ownership changes in the past 30 days
  • FS all file and folder permission changes in the past 30 days
  • FS all file and folder failed access attempts in the past 30 days
  • FS all file changes with suspicious file extensions in the past 30 days
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating