Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Office 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Group Policy built in searches

On Demand Audit provides the following Group Policy built-in searches:

  • Group Policy all events in the past 7 days
  • Group Policy all restricted group changes in the past 30 days
  • Group Policy all security changes in the past 30 days

  • Group Policy domain level linked changes in the past 30 days

Logon Activity built in searches

On Demand Audit provides the following logon activity built-in searches:

  • AD FS All Active Directory Federation Services sign-ins in the past 24 hours

  • AD FS All Failed Active Directory Federation Services sign-ins in the past 7 days

  • AD FS All Successful Active Directory Federation Services sign-ins in the past 24 hours

  • Logon Activity all authentication activity in the past 7 days
  • Logon Activity all excessive Kerberos ticket lifetime events in the past 30 days
  • Logon Activity all failed logon activity in the past 7 days
  • Logon Activity all interactive logon activity in the past 24 hours
  • Logon Activity all Kerberos authentication activity in the past 24 hours

  • Logon Activity all Kerberos service tickets created with unsafe encryption type in the past 30 days

  • Logon Activity all logon activity in the past 24 hours
  • Logon Activity all logon session activity in the past 24 hours
  • Logon Activity all NTLM version 1 logons in the past 7 days (Note: The associated event class is disabled by default in Change Auditor.)
  • Logon Activity all remote logon activity in the past 24 hours

Office 365 built in searches

On Demand Audit provides the following Office 365 built-in searches that are based on the most common and complex requests for information

  • Email forwarding enabled in the past 7 days
  • Office 365 activity from ad-hoc external recipients in the past 7 days
  • Office 365 events from EXT Users in the past 7 days
  • Office 365 events in the past 7 days
  • Office 365 Exchange Online administrative cmdlets executed in the past 7 days
  • Office 365 Exchange Online events in the past 7 days
  • Office 365 Exchange Online mailbox events in the past 7 days
  • Office 365 Exchange Online mailbox login activity in the past 24 hours
  • Office 365 Exchange Online mailbox non-owner activity in the past 7 days
  • Office 365 OneDrive for Business events in the past 7 days
  • Office 365 OneDrive for Business file activity events in the past 7 days
  • Office 365 OneDrive for Business folder activity events in the past 7 days
  • Office 365 SharePoint Online events in the past 7 days
  • Office 365 SharePoint Online file activity events in the past 7 days
  • Office 365 SharePoint Online folder activity events in the past 7
  • OneDrive for Business and SharePoint Online anonymous link events in the past 180 days

On Demand Audit built in searches

On Demand Audit provides the following On Demand Audit built in search:

  • All On Demand Audit configuration events in the past 30 days
  • All On Demand Audit events in the past 30 days
  • On Demand Audit alert plan management events in the past 30 days
  • On Demand Audit alert ran events in the past 30 days
  • On Demand Audit alert rule management events in the past 30 days
  • On Demand Audit all shared search and shared category management events in the past 30 days
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating