Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

On Demand Audit Current - User Guide

Table of Contents

Introducing On Demand Audit

Quest On Demand Overview Quest On Demand Audit Overview

Accessing Quest On Demand Audit Supported regions

Configuring On Demand Audit

Working with tenants Granting required consent Configuring tenant auditing Historical event collection Adding a user to an organization On Demand Audit Access Control roles

Change Auditor Integration

Customer data storage Registering a Change Auditor Installation Pausing Change Auditor event forwarding Resuming Change Auditor event forwarding Removing a Change Auditor Installation Reviewing the status of your Change Auditor installation

SpecterOps BloodHound Enterprise Integration

Configure a SpecterOps BloodHound Integration

Working with On Demand Audit

Using the dashboard

Working with Activity Indicators Monitoring Audit Health status Identifying critical activity Identifying the top active users Working with My Favorite Searches Monitoring sign-in trends

Searching for specific event data (Quick Search) Working with critical activity Working with searches

Working with private and shared searches Running a search Using built in searches

Active Directory Built in searches Active Directory Federation Services built in searches Active Directory Database built in searches Anomaly Activity built in searches Audit Health built in searches Azure Active Directory built in searches Best Practices built in searches BloodHound Tier Zero assets built in searches File System built in searches Group Policy built in searches Logon Activity built in searches Office 365 built in searches On Demand Audit built in searches Teams built in searches Security Guardian built in searches

Creating a custom search Copying an existing search Exporting a search Creating a search from an existing search Creating or filtering a search based on event details Customizing the search display Viewing search results and event details Copying event details Modifying a search Deleting a search Working with categories

Working with alerts and alert plans

Managing alerts and alert plans Using built in alerts and alert plans

Auditing Azure Active Directory

Event collection and Azure Active Directory subscription Working with Azure Active Directory Searches Working with Azure Active Directory events with multiple targets Auditing risk events

Auditing Office 365

Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Teams built in searches

Working with On Demand Audit > Working with searches > Using built in searches > Teams built in searches

On Demand Audit provides the following Teams searches:

Teams app events in the past 7 days
Teams bot events in the past 7 days
Teams channel events in the past 7 days
Teams client configuration changes in the past 30 days
Teams connector events in the past 7 days
Teams events in the past 7 days
Teams guest access configuration changes in the past 30 days
Teams guest members added in the past 7 days
Teams member role changes in the past 7 days
Teams member changes in the past 7 days
Teams notification and feeds policy changes in the past 30 days
Teams organization setting changes in the past 30 days
Teams tab events in the past 7 days
Teams targeting policy changes in the past 30 days
Teams team created events in the past 30 days
Teams team deleted events in the past 30 days
Teams team setting changes in the past 7 days
Teams user sign-in events in the past 7 days

Security Guardian built in searches

Working with On Demand Audit > Working with searches > Using built in searches > Security Guardian built in searches

On Demand Audit provides the following Security Guardian built in searches:

All Security Guardian events in the past 24 hours
All Security Guardian events in the past 7 days
SG Indicators of Compromise in the past 30 days
SG Indicators of Exposure in the past 30 days
SG Tier Zero objects added in the past 30 days
SG Tier Zero objects removed in the past 30 days
SG Tier Zero objects certified in the past 30 days
SG all indicators muted and unmuted in the past 30 days
SG all objects muted and unmuted in the past 30 days
SG all Tier Zero objects protected in the past 30 days
SG all AD DB objects protected in the past 30 days

Creating a custom search

Working with On Demand Audit > Working with searches > Creating a custom search

Custom searches allow you to locate and report on the data that is of interest to you. The associated search preview updates as you construct a search to ensure you are getting the desired results. For options, see Customizing the search display.

NOTE:

Private search names must be unique among all categories for each user.
Shared search name must be unique among all shared searches in all categories in the organization

To create a search

Under the Searches tab, click New Search.
Enter a name for the search.
Click Add to enter the required search criteria.
Select as many filters as required. Search terms are highlighted in the preview (and search results and event details) to allows you to quickly scan for matches.
Click Edit Columns to arrange, add, and remove the columns displayed in the search. See Customizing the search display.
Click Save.By default, the new search will be created in the category you have selected when clicking New Search. If required select a different category.
Select whether this is a private or shared search. Working with private and shared searches.
Click Save.
If required, click Alert, select the required alert plan (or create a new alert plan) to notify the required individuals , click Save. See Working with alerts and alert plans

Available filters

The available string operators include:

equals
does not equal
contains
does not contain
in
not in
starts with
does not start with
ends with
does not end

The available integer operators for sign-in events:

equals_number
does_not_equal_number
greater_than
greater_than_or_equals
less_than
less_than_or_equals
between_number

The available date and time operators include:

during last number of days or hours (By default, this is set to the last 7 days for all new searches.)
between
before
after

Copying an existing search

Working with On Demand Audit > Working with searches > Copying an existing search

Copying an existing search allows you to take advantage of existing settings and modify as required.

Under the Searches tab, select the search.
Click the copy icon. The search is created with "Copy" appended to its name.
Enter a new name and change the category, if required, by selecting a new category from the drop don list.
Select whether this is a private or shared search. See Working with private and shared searches.
Click Copy.

The new search is now available to edit as required.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center