Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

NOTICE! We are upgrading our support telephone services, implementing Genesys, starting the week of May 19, 2025

On Demand Audit Current - User Guide

Table of Contents

Introducing On Demand Audit

Quest On Demand Overview Quest On Demand Audit Overview

Accessing Quest On Demand Audit Supported regions

Configuring On Demand Audit

Working with tenants Granting required consent Configuring tenant auditing Historical event collection Adding a user to an organization On Demand Audit Access Control roles

Change Auditor Integration

Customer data storage Registering a Change Auditor Installation Pausing Change Auditor event forwarding Resuming Change Auditor event forwarding Removing a Change Auditor Installation Reviewing the status of your Change Auditor installation

SpecterOps BloodHound Enterprise Integration

Configure a SpecterOps BloodHound Integration

Working with On Demand Audit

Using the dashboard

Working with Activity Indicators Monitoring Audit Health status Identifying critical activity Identifying the top active users Working with My Favorite Searches Monitoring sign-in trends

Searching for specific event data (Quick Search) Working with critical activity Working with searches

Working with private and shared searches Running a search Using built in searches

Active Directory Built in searches Active Directory Federation Services built in searches Active Directory Database built in searches Anomaly Activity built in searches Audit Health built in searches Microsoft Entra built in searches Best Practices built in searches BloodHound Tier Zero assets built in searches File System built in searches Group Policy built in searches Logon Activity built in searches Microsoft 365 built in searches On Demand Audit built in searches Teams built in searches Security Guardian built in searches

Creating a custom search Copying an existing search Exporting a search Creating a search from an existing search Creating or filtering a search based on event details Customizing the search display Viewing search results and event details Copying event details Modifying a search Deleting a search Working with categories

Working with alerts and notification templates

Using built in alerts and notification templates

Auditing Microsoft Entra

Event collection and Microsoft Entra subscription Working with Microsoft Entra Searches Working with Microsoft Entra events with multiple targets Auditing risk events

Auditing Microsoft 365

Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Group Policy built in searches

Working with On Demand Audit > Working with searches > Using built in searches > Group Policy built in searches

On Demand Audit provides the following Group Policy built in searches:

Group Policy all events in the past 7 days
Group Policy all restricted group changes in the past 30 days
Group Policy all security changes in the past 30 days
Group Policy domain level linked changes in the past 30 days

Logon Activity built in searches

Working with On Demand Audit > Working with searches > Using built in searches > Logon Activity built in searches

On Demand Audit provides the following logon activity built in searches:

AD FS All Active Directory Federation Services sign-ins in the past 24 hours
AD FS All Failed Active Directory Federation Services sign-ins in the past 7 days
AD FS All Successful Active Directory Federation Services sign-ins in the past 24 hours
Logon Activity all authentication activity in the past 7 days
Logon Activity all excessive Kerberos ticket lifetime events in the past 30 days
Logon Activity all failed logon activity in the past 7 days
Logon Activity all interactive logon activity in the past 24 hours
Logon Activity all Kerberos authentication activity in the past 24 hours
Logon Activity all Kerberos service tickets created with unsafe encryption type in the past 30 days
Logon Activity all logon activity in the past 24 hours
Logon Activity all logon session activity in the past 24 hours
Logon Activity all NTLM version 1 logons in the past 7 days (Note: The associated event class is disabled by default in Change Auditor.)
Logon Activity all remote logon activity in the past 24 hours

Microsoft 365 built in searches

Working with On Demand Audit > Working with searches > Using built in searches > Microsoft 365 built in searches

On Demand Audit provides the following Microsoft 365 built-in searches that are based on the most common and complex requests for information

Email forwarding enabled in the past 7 days
Microsoft 365 activity from ad-hoc external recipients in the past 7 days
Microsoft 365 events from EXT Users in the past 7 days
Microsoft 365 events in the past 7 days
Microsoft 365 Exchange Online administrative cmdlets executed in the past 7 days
Microsoft 365 Exchange Online events in the past 7 days
Microsoft 365 Exchange Online mailbox events in the past 7 days
Microsoft 365 Exchange Online mailbox login activity in the past 24 hours
Microsoft 365 Exchange Online mailbox non-owner activity in the past 7 days
Microsoft 365 OneDrive for Business events in the past 7 days
Microsoft 365 OneDrive for Business file activity events in the past 7 days
Microsoft 365 OneDrive for Business folder activity events in the past 7 days
Microsoft 365 SharePoint Online events in the past 7 days
Microsoft 365 SharePoint Online file activity events in the past 7 days
Microsoft 365 SharePoint Online folder activity events in the past 7
OneDrive for Business and SharePoint Online anonymous link events in the past 180 days

On Demand Audit built in searches

Working with On Demand Audit > Working with searches > Using built in searches > On Demand Audit built in searches

On Demand Audit provides the following On Demand Audit built in searches:

All On Demand Audit configuration events in the past 30 days
All On Demand Audit events in the past 30 days
On Demand Audit notification template management events in the past 30 days
On Demand Audit alert ran events in the past 30 days
On Demand Audit alert rule management events in the past 30 days
On Demand Audit all shared search and shared category management events in the past 30 days

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2025 Quest Software Inc. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center