Chat now with support
Chat with Support

NOTICE! We are upgrading our support telephone services, implementing Genesys, starting the week of May 19, 2025

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Microsoft Entra Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Exporting a search

NOTE:

  • 50 000 is the maximum number of results that can be exported at once. You will need to refine the search before exporting if the results exceed this number.
  • The maximum download size is 250 MB. If this size is reached, only complete results will be included, the rest will be truncated. For searches with a large number of results, the ZIP option should be used.

To export a search

  1. Select the Searches tab.
  2. Locate the required search in the list of categories.
  3. Run the search.
  4. From the Export button, select to export to a CSV or CSV as ZIP file. The location for the file is determined by your browser settings.

Creating a search from an existing search

Creating a search based on an existing search allows you to add granularity by adjusting the filters, category, and columns to suit your specific needs.

To create a new search based on an existing custom or built in search

  1. Under the Searches tab, select the search.
  2. Click the pencil icon to modify the search.
  3. Remove, add, edit search criteria as required. Search terms are highlighted in the preview (and search results and event details) to allows you to quickly scan for matches.
  4. If required, click Edit Columns to rearrange, add, and remove columns. See Customizing the search display.
  5. Select Save As.
  6. Edit the search name and select the category.
  7. Select whether this is a private or shared search. Working with private and shared searches.
  8. Click Save.
  9. If required, click Alert, select the required notification template (or create a new one) to notify the required individuals , click Save. See Working with alerts and notification templates

Creating or filtering a search based on event details

You can quickly create a new search or refine an existing search based on values within the event details pane. This allows you to delve deeper into the details found from existing searches.

To create a search based on an event detail

  1. Select the Searches tab.
  2. Locate the required search in the list of categories.
  3. To run the search, simply click it or highlight it and click the run (arrow) icon.
  4. Select the required value, click the More options icon (...), and select New Search on this value.
  5. You can select to run the search, save it, or further filter it as required.

To filter a search based on an event detail

  1. Select the Searches tab.
  2. Locate the required search in the list of categories.
  3. To run the search, simply click it or highlight it and click the run (arrow) icon.
  4. Select the required value, click the More options icon (...), and select Add filter on this value.
  5. You can select to run the search, save it, or further filter it as required.

Customizing the search display

When you create a search, a preview displays to help ensure the search criteria meet your needs. You can easily customizing the columns that display in the generated report and set how you want the report results displayed through the visualization settings.

NOTE: Some columns are included by default, such as Time Detected, User (Actor), Activity, Target, Origin IP, Service, Status, and Tenant Name. For a list of available columns, see Appendix A: Working with search columns and filters

To customize the display of the search results

  1. As you create a search, click Edit Columns.
  2. Drag and drop the columns to change the order.
  3. To remove a column, click the - next to the appropriate column.
  4. To add a column, click Add Column.
  5. Select the Visualize menu and choose how to visualize the results. You can choose between a Chart & Grid, Grid only, or Chart only.
  6. If you select to display as a chart & Grid or Chart, you can further refine the display by selecting the type of chart (horizontal bar chart, time series, or donut) and how you want to group and summarize the data.
  7. Click Preview to view your changes.
  8. Click Save to save your changes.
If you have selected to visualize the search in a donut or bar chart, you can add and remove items from the display by clicking to clear or enable them from the legend, and select a section of the donut or bar to view more details.

 

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating