Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration Working with On Demand Audit Appendix A: Working with Filters Documentation Roadmap

Appendix A: Working with Filters

The following columns, filters, and pre-defined values are available to help you locate the information you need to secure your environment.

Available search filters and columns

Filter Value to enter/ available pre-defined values to select
Action

Select from the following pre-defined values:

  • Add Attribute
  • Add Object
  • Delete Attribute
  • Delete Object
  • Modify Attribute
  • Move Object
  • Other Actions
  • Rename Object
Activity
  • Enter an associated value
Activity Category
  • AD Query

  • Anonymous Cloud Activity

  • Anonymous Web Site Activity

  • Authentication Activity

  • Authentication Services Monitoring

  • Azure Active Directory
  • Azure Active Directory - Administrative Units

  • Azure Active Directory - Application
  • Azure Active Directory - B2B
  • Azure Active Directory - Directory

  • Azure Active Directory - Group

  • Aure Active Directory - Policy

  • Azure Active Directory - Resource

  • Azure Active Directory - Risk Event
  • Azure Active Directory - Role
  • Azure Active Directory - Sign-in

  • Azure Active Directory - User

  • Change Auditor Internal Auditing

  • Configuration Monitoring

  • Connection Object

  • Custom AD Object Monitoring

  • Custom ADAM Object Monitoring
  • Custom Computer Monitoring
  • Custom File System Monitoring

  • Custom Group Monitoring

  • Custom Registry Monitoring

  • Custom User Monitoring

  • Defender

  • DNS Service

  • DNS Zone

  • Domain Configuration

  • Domain Controller Authentication

  • Dynamic Access Control

  • EMC

  • Exchange ActiveSync Monitoring

  • Exchange Administrative Group
  • Exchange Distribution List

  • Exchange Mailbox Monitoring

  • Exchange Organization

  • Exchange Permission Tracking

  • Exchange Security Group

  • Exchange User

  • Fault Tolerance

  • File System Access Denied
  • File System Configuration Change
  • File System Content Change
  • File System Content Access
  • File System Security Change
  • FluidFS

  • Forest Configuration
  • FRS Service

  • Group Policy Item

  • Group Policy Object

  • Group Monitoring

  • IP Security

  • Local Group Monitoring
  • Local User Monitoring
  • Logon Session

  • NetApp
  • NETLOGON Service

  • None

  • NTDS Service

  • Office 365 Exchange Online Administration

  • Office 365 SharePoint Online
  • Office 365 OneDrive for Business
  • Office 365 Exchange Online Mailbox
  • OU

  • Replication Transport

  • Schema Configuration
  • Security Change Detail

  • Service Monitoring

  • SharePoint Document

  • SharePoint Document Library

  • SharePoint Farm

  • SharePoint Folder

  • SharePoint List

  • SharePoint List Item

  • SharePoint Permission
  • SharePoint Security Group
  • SharePoint Site

  • SharePoint Site Collection

  • Site Configuration

  • Site Link Bridge Configuration

  • Site Link Configuration
  • Skype for Business Administration

  • Skype for Business Configuration

  • SQL Broker Event

  • SQL CLR Event
  • SQL Cursors Event

  • SQL Data Level

  • SQL Database Event
  • SQL Deprecation Event

  • SQL Errors and Warnings Event

  • SQL Full Text Event
  • SQL Locks Event

  • SQL Objects Event
  • SQL OLEDB Event
  • SQL Performance Event

  • SQL Progress Report Event
  • SQL Query Notifications Event
  • SQL Scan Event
  • SQL Security Audit Event

  • SQL Server Event

  • SQL Session Event
  • SQL Stored Procedures Event

  • SQL Transaction Event
  • SQL TSQL Event

  • SQL User-Configurable Event

  • Subnets

  • System Events

  • SYSVOL

  • Threat Detection - Alert

  • Threat Detection - Risky User

  • User Cloud Activity

  • User Web Site Activity

  • VMware Account

  • VMware Alarm

  • VMware Authorization

  • VMware Cluster
  • VMware Custom Field

  • VMware Datacenter

  • VMware Datastore

  • VMware DVPortgroup

  • VMware Dvs

  • VMware Generic

  • VMware Host

  • VMware License

  • VMware Profile

  • VMware Resource Pool

  • VMware Scheduled Task

  • VMware Session

  • VMware Task
  • VMware Template Upgrade

  • VMware Upgrade

  • VMware Virtual Machine

Activity Id
  • Enter an associated value
Activity Time
  • Enter days or hours
Actor Id
  • Enter an associated value
Actor Name
  • Enter an associated value
Actor Object Id
  • Enter an associated value
Actor PUID
  • Enter an associated value
Actor Service Principle Name
  • Enter an associated value
Actor User Principal Name
  • Enter an associated value
AD Authorization Port
  • Enter an associated value
AD Kerberos
  • Enter an associated value
AD Security Change Applies To
  • Enter an associated value
AD Security Change Condition
  • Enter an associated value
AD Security Change Permission
  • Enter an associated value
AD Security Change Type
  • Enter an associated value
AD Simple Bind
  • Enter an associated value
AD SSL/TLS
  • Enter an associated value
Additional Details
  • Enter an associated value
Additional Info
  • Enter an associated value
Add-on Guid
  • Enter an associated value
Add-on Name
  • Enter an associated value
Add-on Type

Select from the following pre-defined values:

  • Bot
  • Connector
  • Tab
  • App
Affected Items
  • Enter an associated value
Agent Domain Fully Qualified Domain Name
  • Enter an associated value
Agent Forest Name
  • Enter an associated value
Agent Fully Qualified Domain Name
  • Enter an associated value
Agent Id
  • Enter an associated value
Agent OS Version
  • Enter an associated value
Agent Site Name
  • Enter an associated value
Alert Recipients
  • Enter an associated value
Application Id
  • Enter an associated value
Application Name
  • Enter an associated value
Attribute Name
  • Enter an associated value
Atypical Location

Select from the following pre-defined values:

  • Yes
  • No
Audit Item
  • Enter an associated value
Audit Source
  • Enter an associated value
Authentication Protocol

Select from the following pre-defined values:

  • Kerberos
  • NTLM
  • Unknown
Authentication Protocol Version

Select from the following pre-defined values:

  • V1
  • V2
Azure AD Activity Operation Type
  • Enter an associated value
Azure AD Activity Type
  • Enter an associated value
Azure AD Category
  • Enter an associated value
Azure AD Result Description
  • kEnter an associated value
Channel Name
  • Enter an associated value
Channel Guid
  • Enter an associated value
Channel Type

Select from the following pre-defined values:

  • Private
  • Standard
Change Auditor Event Class ID
  • Enter an associated value
Change Auditor Event Class Name
  • Enter an associated value
Change Auditor Facility ID
  • Enter an associated value
Change Auditor Facility Name
  • Enter an associated value
City
  • Enter an associated value
Client Info String
  • Enter an associated value
Client IP Address
  • Enter an associated value
Client Machine Name
  • Enter an associated value
Client Process Name
  • Enter an associated value
Client Version
  • Enter an associated value
Cmdlet Name
  • Enter an associated value
Comment
  • Enter an associated value
Coordinator Id
  • Enter an associated value
Correlation Id
  • Enter an associated value
Country
  • Enter an associated value
Cross-Mailbox Operations
  • Enter an associated value
Custom Event
  • Enter an associated value
Destination File Extension
  • Enter an associated value
Destination FileName
  • Enter an associated value
Destination Folder
  • Enter an associated value
Destination MailboxId Id
  • Enter an associated value
Destination MailboxId Owner Master Account Sid
  • Enter an associated value
Destination MailboxId Owner Sid
  • Enter an associated value
Destination MailboxId Owner UPN
  • Enter an associated value
Destination relative URL
  • Enter an associated value
Detection Timing

Select from the following pre-defined values:

  • Near Realtime
  • Not Defined
  • Offline
  • Realtime
Device Information
  • Enter an associated value
Distribution Group Name
  • Enter an associated value
Domain Name
  • Enter an associated value
Error Code
  • Enter an associated value
Event Data
  • Enter an associated value
Event Id
  • Enter an associated value
Event Source
  • Enter an associated value
Event Source Application
  • Enter an associated value
Event Version
  • Enter an associated value
External Access
  • Enter an associated value
Failure Reason
  • Enter an associated value
Folder
  • Enter an associated value
Initiator User Mail
  • Enter an associated value
Initiator User Name
  • Enter an associated value
Initiator User SID
  • Enter an associated value
Installation Id
  • Enter an associated value
Internal Correlation Id
  • Enter an associated value
Is Linked Group Policy Change

Select from the following pre-defined values:

  • False
  • True
Item type
  • Enter an associated value
Kerberos Ticket Lifetime (Hours)
  • Enter an associated value
Logon Begin Type
  • Select from the following pre-defined values:

    • Additional logon

    • Concurrent user disconnected
    • Existing logon
    • Lock
    • Logoff
    • Logon
    • None
    • Remote logoff
    • Remote logon
    • Screensaver turned off
    • Screensaver turned on
    • Shutdown
    • Unlock
  • Logon Duration
    • Enter an associated value
    Logon End
    • Enter days or hours
    Logon End Type

    Select from the following pre-defined values:

    • Additional logon
    • Concurrent user disconnected
    • Existing logon
    • Lock
    • Logoff
    • Logon
    • None
    • Remote logoff
    • Remote logon
    • Screensaver turned off
    • Screensaver turned on
    • Shutdown
    • Unlock
    Logon Session End
    • Enter days or hours
    Logon Session Start
    • Enter days or hours
    Logon Start
    • Enter days or hours
    Logon Type (Exchange Online)

    Select from the following pre-defined values:

    • Admin
    • Best Access
    • Delegated
    • Delegated Admin
    • Owner
    • System Service
    • Transport
    • Unknown
    Logon Type (Windows)

    Select from the following pre-defined values:

    • None
    • Remote Interactive
    • Domain Authentication
    • User Session
    • Interactive
    • Network
    • All
    Logon User Display Name
    • Enter an associated value
    Logon User Sid
    • Enter an associated value
    Machine Domain Info
    • Enter an associated value
    Machine Id
    • Enter an associated value
    Mailbox Guid
    • Enter an associated value
    Mailbox Name
    • Enter an associated value
    Mailbox Owner Master Account Sid
    • Enter an associated value
    Mailbox Owner Sid
    • Enter an associated value
    Mailbox Owner UPN
    • Enter an associated value
    Malware Name
    • Enter an associated value
    MFA Authentication Detail
    • Enter an associated value
    MFA Authentication Method
    • Enter an associated value
    MFA Required

    Select from the following pre-defined values:

    • Yes
    • No
    MFA Result
    • Enter an associated value
    Modified Object
    • Enter an associated value
    Modified Properties
    • Enter an associated value
    NTLM Impersonation Level

    Select from the following pre-defined values:

    • Default
    • Anonymous
    • Identify
    • Impersonate
    • Delegate
    NTLM Key Length
    • Enter an associated value
    Object Id
    • Enter an associated value
    Office365 Organization Id
    • Enter an associated value
    Organization Name
    • Enter an associated value
    Origin AD Site Name
    • Enter an associated value
    Origin IP Address
    • Enter an associated value
    Origin IPv4 Address
    • Enter an associated value
    Origin IPv6 Address
    • Enter an associated value
    Origin Name
    • Enter an associated value
    Originating Server
    • Enter an associated value
    Parameters
    • Enter an associated value
    Parent Event Id
    • Enter an associated value
    Policy Setting
    • Access Credential Manager as a trusted caller

    • Access This Computer From The Network

    • Account Lockout Duration

    • Account Lockout Threshold

    • Account Logon: Audit Credential Validation

    • Account Logon: Audit Kerberos Authentication Service

    • Account Logon: Audit Kerberos Service Ticket Operations

    • Account Logon: Audit Other Account Logon Events

    • Account Management: Audit Application Group Management

    • Account Management: Audit Computer Account Management

    • Account Management: Audit Distribution Group Management

    • Account Management: Audit Other Account Management Events

    • Account Management: Audit Security Group Management

    • Account Management: Audit User Account Management

    • Accounts: Administrator Account Status

    • Accounts: Guest Account Status

    • Accounts: Limit Local Account Use Of Blank Passwords To Console Logon Only

    • Accounts: Rename Administrator Account

    • Accounts: Rename Guest Account

    • Act As Part Of The Operating System

    • Add Workstations To Domain

    • Adjust Memory Quotas For A Process

    • Allow Log On Locally

    • Allow Log On Through Terminal Services

    • Application Data Folder options

    • Application Data Folder target path

    • Audit Account Logon Events

    • Audit Account Management

    • Audit Directory Service Access

    • Audit Logon Events

    • Audit Object Access

    • Audit Policy Change

    • Audit Privilege Use

    • Audit Process Tracking

    • Audit System Events

    • Audit: Audit The Access Of Global System Objects

    • Audit: Audit The Use Of Backup And Restore Privilege

    • Audit: Force audit policy subcategory settings (Windows Vista or later) to override audit policy category settings

    • Audit: Shut Down System Immediately If Unable To Log Security Audits

    • Authenticode Settings Enable Trusted Publisher Lockdown option

    • Autoenrollment Settings

    • Automatic Browser Configuration Auto-config URL

    • Automatic Browser Configuration Automatic Configuration option

    • Automatic Browser Configuration Automatic Configuration Time

    • Automatic Browser Configuration Automatic detection option

    • Automatic Browser Configuration Auto-proxy URL

    • Automatic Certificate Request Settings

    • Back Up Files And Directories

    • Basic User Hash Rule

    • Basic User Zone Rule

    • BitLocker Drive Encryption

    • Browser Title

    • Bypass Traverse Checking

    • Central Access Policy

    • Change The System Time

    • Change the time zone

    • Computer Configuration Administrative Template

    • Computer Preference Setting

    • Connection Settings Delete Existing Option

    • Connection Settings Import Option

    • Contacts Folder target path

    • Content Ratings option

    • Create A Pagefile

    • Create A Token Object

    • Create Global Objects

    • Create Permanent Shared Objects

    • Create symbolic links

    • Custom Large Static Logo

    • Custom Small Animated Logo

    • Custom Small Static Logo

    • Debug Programs

    • Default Security Level

    • Delete Existing Channels option

    • Delete Existing Favorites option

    • Deny Access To This Computer From The Network

    • Deny Log On As A Batch Job

    • Deny Log On As A Service

    • Deny Log On Locally

    • Deny Log On Through Terminal Services / Remote Desktop Services

    • Designated File Types

    • Desktop Folder options

    • Desktop Folder target path

    • Detailed Tracking: Audit DPAPI Activity

    • Detailed Tracking: Audit Process Creation

    • Detailed Tracking: Audit Process Termination

    • Detailed Tracking: Audit RPC Events

    • Devices: Allow Undock Without Having To Logon

    • Devices: Allowed To Format And Eject Removable Media

    • Devices: Prevent Users From Installing Printer Drivers

    • Devices: Restrict CD-ROM Access To Locally Logged-On User Only

    • Devices: Restrict Floppy Access To Locally Logged-On User Only

    • Devices: Unsigned Driver Installation Behavior

    • Disallowed Certificate Rule
    • Disallowed Hash Rule

    • Disallowed Path Rule

    • Disallowed Zone Rule

    • Domain Controller: Allow Server Operators To Schedule

    • Domain Controller: LDAP Server Signing Requirements

    • Domain Controller: Refuse Machine Account Password C

    • Domain Member: Digitally Encrypt Or Sign Secure Channel Data (Always)

    • Domain Member: Digitally Encrypt Secure Channel Data (When Possible)

    • Domain Member: Digitally Sign Secure Channel Data (When Possible)

    • Domain Member: Disable Machine Account Password Changes

    • Domain Member: Maximum Machine Account Password Age

    • Domain Member: Require Strong (Windows 2000 Or Later) Session Key

    • Downloads Folder options

    • Downloads Folder target path

    • DS Access: Audit Detailed Directory Service Replication

    • DS Access: Audit Directory Service Access

    • DS Access: Audit Directory Service Changes

    • DS Access: Audit Directory Service Replication

    • Enable Computer And User Accounts To Be Trusted For Delegation

    • Encrypting File System

    • Enforce Password History

    • Enforce User Logon Restrictions

    • Enforcement Files

    • "Enforcement Users

    • Enterprise Trust

    • "Favorites List

    • Favorites options

    • Favorites target path

    • File or Folder

    • Force Shutdown From A Remote System

    • Generate Security Audits

    • Global Object Access Auditing: File system

    • Global Object Access Auditing: Registry

    • Group Policy Container Access

    • Group policy disable computer configuration flag

    • Group policy disable user configuration flag

    • Group policy WMI Filter

    • Impersonate A Client After Authentication

    • Important URLs Home Page URL

    • Important URLs Online Support URL

    • Important URLs Search Bar URL

    • Increase a process working set

    • Increase Scheduling Priority

    • Interactive Logon: Display user information when the session is locked

    • Interactive Logon: Do Not Display Last User Name

    • Interactive Logon: Do Not Require CTRL+ALT+DEL

    • Interactive Logon: Message Text For Users Attempting To Log On

    • Interactive Logon: Message Title For Users Attempting To Log On

    • Interactive Logon: Number Of Previous Logons To Cache (In Case Domain Controller Is Not Available)

    • Interactive Logon: Prompt User To Change Password Before Expiration

    • Interactive Logon: Require Domain Controller Authentication To Unlock Workstation

    • Interactive Logon: Require Smart Card

    • Interactive Logon: Smart Card Removal Behavior

    • Intermediate Certificate Authorities

    • IP Security Policy

    • Links Folder options

    • Links Folder target path

    • Links List

    • Load And Unload Device Drivers

    • Lock Pages In Memory

    • Log On As A Batch Job

    • Log On As A Service

    • Logon/Logoff: Audit Account Lockout

    • Logon/Logoff: Audit IPsec Extended Mode

    • Logon/Logoff: Audit Logon

    • Logon/Logoff: Audit Network Policy Server

    • Logon/Logoff: Audit Other Logon/Logoff Events

    • Logon/Logoff: Audit Special Logon

    • Machine Access Restrictions in Security Descriptor Definition Language (SDDL) syntax

    • Machine Launch Restrictions in Security Descriptor Definition Language (SDDL) syntax

    • Manage Auditing And Security Log

    • Maximum Application Log Size

    • Maximum Lifetime For Service Ticket

    • Maximum Lifetime for User Ticket

    • Maximum Lifetime For User Ticket Renewal

    • Maximum Password Age

    • Maximum Security Log Size

    • Maximum System Log Size

    • Maximum Tolerance for Computer Clock Synchronization

    • Microsoft Network Client: Digitally Sign Communications (Always)

    • Microsoft Network Client: Digitally Sign Communications (If Server Agrees)

    • Microsoft Network Client: Send Unencrypted Password To Connect To Third-Party SMB Servers

    • Microsoft Network Server: Amount Of Idle Time Required Before Suspending Session

    • Microsoft Network Server: Digitally Sign Communication (Always)

    • Microsoft Network Server: Digitally Sign Communications (If Client Agrees)

    • Microsoft Network Server: Disconnect Clients When Logon Hours Expire

    • Microsoft network server: Server SPN target name validation level

    • Minimum Password Age

    • Minimum Password Length

    • Modify Firmware Environment

    • Music Folder options

    • Music Folder target path

    • My Documents Folder options

    • My Documents Folder Redirection: My Pictures Options

    • My Documents Folder target path

    • NAP Client Health Registration Settings: CSP

    • NAP Client Health Registration Settings: CSP Key Length

    • NAP Client Health Registration Settings: Hash Algorithm

    • NAP Client Health Registration Settings: Require server verification

    • NAP Client Health Registration Settings: Trusted server group

    • NAP Client Health Registration Settings: Trusted server URL

    • NAP Enforcement Clients: DHCP Quarentine Enforcement Client

    • NAP Enforcement Clients: IPsec Relying Party

    • AP Enforcement Clients: RD Gateway Quarentine Enforcement Client

    • NAP Enforcement Clients: Remote access enforcement client for Windows XP and Windows Vista

    • NAP Enforcement Clients: Wireless EAPOL enforcement client for Windows XP

    • NAP User Interface Settings: Description changed

    • NAP User Interface Settings: Image File changed

    • NAP User Interface Settings: Image File Name changed

    • NAP User Interface Settings: Title changed

    • Network Access: Allow Anonymous SID/Name Translation

    • Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts

    • Network Access: Do Not Allow Anonymous Enumeration Of SAM Accounts And Shares

    • Network Access: Do Not Allow Storage Of Credentials Or .NET Passports For Network Authentication

    • Network Access: Let Everyone Permissions Apply To Anonymous Users

    • Network Access: Named Pipes That Can Be Accesssed Anonymously

    • Network Access: Remotely Accessible Registry Paths

    • Network Access: Remotely Accessible Registry Paths And Sub-Paths

    • Network Access: Restrict Anonymous Access To Named Pipes and Shares

    • Network Access: Shares That Can Be Accessed Anonymously

    • Network Access: Sharing And Security Model For Local Accounts

    • Network Security: Allow Local System to use computer identity for NTLM

    • Network security: Allow LocalSystem NULL session fallback

    • Network security: Allow PKU2U authentication requests to this computer to use online identities

    • Network security: Configure encryption types allowed for Kerberos

    • Network Security: Do Not Store LAN Manager Hash Value On Next Password Change

    • Network Security: Force Logoff When Logon Hours Expire

    • Network Security: LAN Manager Authentication Level

    • Network Security: LDAP Client Signing Requirements

    • Network Security: Minimum Session Security For NTLM SSP Based (Including Secure RPC) Clients

    • Network Security: Minimum Session Security For NTLM SSP Based (Including Secure RPC) Servers

    • Network security: Restrict NTLM: NTLM authentication in this domain

    • Network security: Restrict NTLM: Add remote server exceptions for NTLM authentication

    • Network security: Restrict NTLM: Add server exceptions in this domain

    • Network security: Restrict NTLM: Audit Incoming NTLM Traffic

    • Network security: Restrict NTLM: Audit NTLM authentication in this domain

    • Network security: Restrict NTLM: Incoming NTLM traffic

    • Network security: Restrict NTLM: Outgoing NTLM traffic to remote servers

    • NLM: Location type

    • NLM: Location type permissions

    • NLM: Network icon permissions

    • NLM: Network name

    • NLM: Network name permissions

    • Object Access: Audit Application Generated

    • Object Access: Audit Certification Services

    • Object Access: Audit File Share

    • Object Access: Audit File System

    • Object Access: Audit Filtering Platform Connection

    • Object Access: Audit Filtering Platform Packet Drop

    • Object Access: Audit Handle Manipulation

    • Object Access: Audit Kernel Object

    • Object Access: Audit Other Object Access Events

    • Object Access: Audit Registry

    • Object Access: Audit SAM

    • Object Access: Detailed File Share

    • Password Must Meet Complexity Requirements

    • Perform Volume Maintenance Tasks

    • Pictures Folder options

    • Pictures Folder target path

    • Place Favorites At Top Of List option

    • Policy Change: Audit Authentication Policy Change

    • Policy Change: Audit Authorization Policy Change

    • Policy Change: Audit Filtering Platform Policy Change

    • Policy Change: Audit MPSSVC Rule-Level Policy Change

    • Policy Change: Audit Other Policy Change Events

    • Policy Change: Audit Policy Change

    • Prevent Local Guests Group From Accessing Application Log

    • Prevent Local Guests Group From Accessing Security Log

    • Prevent Local Guests Group From Accessing System Log

    • Privilege Use: Audit Non Sensitive Privilege Use

    • Privilege Use: Audit Other Privilege Use Events

    • Privilege Use: Audit Sensitive Privilege Use

    • Profile System Performance

    • Program Settings option

    • Proxy Settings Exceptions

    • Proxy Settings FTP Proxy

    • Proxy Settings Gopher Proxy

    • Proxy Settings HTTP Proxy

    • Proxy Settings Secure Proxy

    • Proxy Settings Socks Proxy

    • QoS Policy: Application Name

    • QoS Policy: DSCP Value

    • QoS Policy: Local IP

    • QoS Policy: Local IP Prefix Length

    • QoS Policy: Local Port

    • QoS Policy: Protocol

    • QoS Policy: Remote IP

    • QoS Policy: Remote IP Prefix Length

    • QoS Policy: Remote Port

    • QoS Policy: Throttle Rate

    • QoS Policy: URL

    • QoS Policy: URL Recursive

    • QoS Policy: Version

    • Recovery Console: Allow Automatic Administrative Logon

    • Recovery Console: Allow Floppy Copy And Access To All Drives And All Folders

    • Registry key

    • Remove Computer From Docking Station

    • Replace A Process Level Token

    • Reset Account Lockout Counter After Change

    • Restore Files And Directories

    • Restricted Group

    • Restricted Group Member

    • Restricted Group Membership

    • Retain Application Log

    • Retain Security Log

    • Retain System Log

    • Retention Method For Application Log

    • Retention Method For Security Log

    • Retention Method For System Log

    • Saved Games Folder target path

    • Script setting

    • Searches Folder options

    • Searches Folder target path

    • Secure System Partition (For RISC Platforms Only)

    • Security Zones and Privacy option

    • Shut Down The Computer When The Security Audit Log Is Full

    • Shut Down The System

    • Shutdown: Allow System To Be Shut Down Without Having To Log On

    • Shutdown: Clear Virtual Memory Pagefile

    • Software Installation Policy

    • Start Menu Folder options

    • Start Menu Folder target path

    • Starter GPO

    • Starter GPO Computer setting

    • Starter GPO User setting

    • Store Passwords Using Reversible Encryption

    • Synchronize Directory Service Data

    • System Cryptography: Force Strong Key Protection For User Keys Stored On The Computer policy

    • System Cryptography: Use FIPS Compliant Algorithms For Encryption, Hashing, and Signing policy

    • System Objects: Default Owner For Objects Created By Members Of The Administrators Group policy

    • System Objects: Require Case Insensitivity For Non-Windows Subsystems policy

    • System objects: Strengthen default permissions of internal system objects (e.g. Symbolic Links) policy

    • System Services Policy Service

    • System Services Policy Service Startup Mode

    • System Settings: Optional Subsystems

    • System Settings: Use Certificate Rules On Windows Executables For Software Restriction Policies

    • System: Audit IPsec Driver

    • System: Audit Other System Events

    • System: Audit Security State Change

    • System: Audit Security System Extension

    • System: Audit System Integrity

    • Take Ownership Of Files Or Other Objects

    • Toolbar background Bitmap

    • Toolbar Buttons

    • Trusted People

    • Trusted Publishers

    • Trusted Root Certification Authority

    • Unrestricted Certificate Rule

    • Unrestricted Hash Rule

    • Unrestricted Path Rule

    • Unrestricted Zone Rule

    • Unsigned Non-Driver Installation Behavior

    • User Account Control: Admin Approval Mode for the Built-in Administrator account

    • User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop

    • User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode

    • User Account Control: Behavior of the elevation prompt for standard users

    • User Account Control: Detect application installations and prompt for elevation

    • User Account Control: Only elevate executables that are signed and validated

    • User Account Control: Only elevate UIAccess applications that are installed in secure locations

    • User Account Control: Run all administrators in Admin Approval Mode

    • User Account Control: Switch to the secure desktop when prompting for elevation

    • User Account Control: Virtualize file and registry write failures to per-user locations

    • User Administrative Template setting

    • User Agent String

    • User Credential Roaming

    • User Credential Roaming Options

    • User Group Policy Preference

    • User Software Restriction Basic User Hash Rule

    • User Software Restriction Basic User Path Rule

    • User Software Restriction Basic User Zone Rule

    • User Software Restriction Designated File Types

    • User Software Restriction Disallowed Certificate Rule

    • User Software Restriction Disallowed Hash Rule

    • User Software Restriction Disallowed Path Rule

    • User Software Restriction Disallowed Zone Rule

    • User Software Restriction Enforcement Files

    • User Software Restriction Enforcement Users

    • User Software Restriction Policies Default Security Level

    • User Software Restriction Trusted Publishers

    • User Software Restriction Unrestricted Certificate Rule

    • User Software Restriction Unrestricted Hash Rule

    • User Software Restriction Unrestricted Path Rule

    • User Software Restriction Unrestricted Zone Rule

    • Videos Folder options

    • Videos target path

    • Wireless Network Policy

    Policy Setting Category
    • Account Lockout Policy

    • Additional Rules

    • Administrative Templates: Policy definitions

    • Audit Policies

    • Audit Policy

    • Central Access Policy

    • Change Auditor Protection

    • Event Log

    • File System

    • Folder Redirection

    • GPO Status

    • Internet Explorer Maintenance

    • IP Security Policies on Active Directory

    • Kerberos Policy

    • NAP Client Configuration

    • Network List Manager Policies

    • Password Policy

    • Policy-Based QoS

    • Preferences

    • Public Key Policies

    • Registry

    • Restricted Groups

    • Scripts (Logon/Logoff)

    • Scripts (Startup/Shutdown)

    • Security Levels

    • Security Options

    • Software Installation

    • Software Restriction Policies

    • Software Settings

    • Starter GPO

    • System Services

    • User Rights Assignment

    • Wireless Network Policies

    • WMI Filtering

    Policy Setting List Item
    • Enter an associated value
    Policy Setting Location
    • Enter an associated value
    Previous City
    • Enter an associated value
    Previous Country
    • Enter an associated value
    Previous IP
    • Enter an associated value
    Previous Sign-in Time
    • Enter days or hours
    Previous State
    • Enter an associated value
    Previous User Agent
    • Enter an associated value
    Property Name
    • Enter an associated value
    Property Before Value
    • Enter an associated value
    Property After Value
    • Enter an associated value
    Record Type
    • Enter an associated value
    Request Id
    • Enter an associated value
    Result Status
    • Enter an associated value
    Risk Activity

    Select from the following pre-defined values:

    • Signin
    • User
    Risk Correlation Id
    • Enter an associated value
    Risk Detail

    Select from the following pre-defined values:

    • None
    • Admin Generated Temporary Password
    • User Performed Secured Password Change
    • User Performed Secured Password Reset
    • Admin Confirmed Signin Safe

    • Hidden
    • Admin Confirmed Signin Compromised
    • Admin Confirmed User Compromised
    • Admin Dismissed All Risk For User
    • Ai Confirmed Signin Safe
    • User Passed MFA Driven By Risk Based Policy
    Risk Detected Time
    • Enter days or hours
    Risk Event Details
    • Enter an associated value
    Risk Event Id
    • Enter an associated value
    Risk Event Status

    Select from the following pre-defined values:

    • Active
    • Closed (MFA Auto-Closed)
    • Closed (Multiple Reasons)
    • Closed (marked as false positive)
    • Closed (resolved)
    • Closed (ignored)
    • Login Blocked
    • Remediated
    Risk Event Time
    • Enter days or hours
    Risk Event Type

    Select from the following pre-defined values:

    • Anonymous IP Risk Event
    • Impossible Travel Risk Event
    • Leaked Credentials Risk Event
    • Malware Risk Event
    • Suspicious IP Risk Event
    • Unfamiliar Location Risk Event
    Risk Level

    Select from the following pre-defined values:

    • Hidden
    • High
    • Low
    • Medium
    • None
    Risk Source
    • Enter an associated value
    Risk State

    Select from the following pre-defined values:

    • At Risk
    • Confirmed Compromised
    • Confirmed Safe
    • Dismissed

    • None
    • Remediated
    Risk Type

    Select from the following pre-defined values:

    • Unlikely Travel
    • Anonymized IP Address
    • Malicious IP Address
    • Unfamiliar Features
    • Malware Infected IP Address
    • Suspicious IP Address
    • Leaked Credentials
    • Investigations Threat Intelligence
    • Generic Admin Confirmed User Compromised
    • Mcas Impossible Travel
    • Mcas Suspicious Inbox Manipulation Rules

    • Investigations Threat Intelligence Signin Linked
    • Malicious IP Address Valid Credentials Blocked IP
    Schema Id
    • Enter an associated value
    Send as User Mailbox Guid
    • Enter an associated value
    Send as User SMTP
    • Enter an associated value
    Send on behalf of User Mailbox Guid
    • Enter an associated value
    Send on behalf of User SMTP
    • Enter an associated value
    Service

    Select from the following pre-defined values:

    • Active Directory
    • Azure Active Directory
    • Exchange
    • Group Policy
    • Logon Activity
    • On Demand Audit
    • OneDrive
    • SharePoint
    • Teams
    Severity

    Select from the following pre-defined values:

    • High
    • Low
    • Medium
    Sharing Target
    • Enter an associated value
    Sharing Target Type
    • Enter an associated value
    Sharing Type
    • Enter an associated value
    Site
    • Enter an associated value
    Siter Url
    • Enter an associated value
    Source File Extesion
    • Enter an associated value
    Source File Name
    • Enter an associated value
    Source Folders
    • Enter an associated value
    Source Name
    • Enter an associated value
    Source relative Url
    • Enter an associated value

    State

    • Enter an associated value
    Status

    Select from the following pre-defined values:

    • Failed
    • Successful
    Status Reason (Change Auditor)

    Selectfrom the following pre-defined values:

    • Failed
    • Protected
    • Succeeded
    Subject
    • Enter an associated value
    Subject Name
    • Enter an associated value
    Subject Object Id
    • Enter an associated value
    Subject PUID
    • Enter an associated value
    Subject Resource Type
    • Enter an associated value
    Subject Service Principle Name
    • Enter an associated value
    Subject Type
    • Enter an associated value
    Subject User Principle Name
    • Enter an associated value
    Target
    • Enter an associated value
    Target AD Forest Name
    • Enter an associated value
    Target Additional Details
    • Enter an associated value
    Target Canonical Name
    • Enter an associated value
    Target Computer Name
    • Enter an associated value
    Target Distinguished Name
    • Enter an associated value
    Target Domain Name
    • Enter an associated value
    Target IP Address
    • Enter an associated value
    Target is Domain Controller
    • Enter an associated value
    Target Managed By
    • Enter an associated value
    Target Name
    • Enter an associated value
    Target Object Class
    • Enter an associated value
    Target Object Id
    • Enter an associated value
    Target Organizational Unit CN
    • Enter an associated value
    Target Parent Object Id
    • Enter an associated value
    Target Policy Item
    • Enter an associated value
    Target Policy Section
    • Enter an associated value
    Target PUID
    • Enter an associated value
    Target Resource Type
    • Enter an associated value
    Target SAM Account Name
    • Enter an associated value
    Target Service Principle Name
    • Enter an associated value
    Target Site Name
    • Enter an associated value
    Target Type
    • Enter an associated value
    Target User Mail
    • Enter an associated value
    Target User Principle Name
    • Enter an associated value
    Team Guid
    • Enter an associated value
    Team Name
    • Enter an associated value
    Teams Property Name

    Select from the following pre-defined values:

    • Allow Box in Files tab

    • Accepted channel SMTP domains list

    • Allow DropBox in Files tab

    • Allow Egnyte in Files tab

    • Allow Guest access in Teams

    • Allow Google Drive in Files tab

    • Allow Resource Account Send Messages

    • Allow Share File in Files tab

    • Allow Skype for Business Interop

    • Allow TBot Proactive Messaging

    • Allow users to send emails to channels

    • Guests allow IP video

    • Guests screen sharing mode

    • Guests allow Meet Now

    • Guests allow editing of sent messages

    • Guests allow Deletion of sent messages

    • Guests allow chat

    • Guests allow Giphys in conversations

    • Guests Giphy content rating

    • Guests allow memes in conversations

    • Guests use Stickers in conversations

    • Guests allow immersive reader

    • Guests allow private calls

    • Meeting room device content pin

    • Members can add additional tags

    • Resource Account Content Access

    • Show organization tab in chats

    • Suggested default tags

    • Suggested feeds appear in user's activity feed

    • Trending feeds appear in user's activity feed

    • Tagging permission mode

    • Team owners can override who can apply tags

    • Use Exchange address book policy

    Teams Role Type

    Select from the following pre-defined values:

    • Member
    • Owner
    • Guest
    Tenant Id
    • Enter an associated value
    Tenant Name
    • Enter an associated value
    Time Detected
    • Enter days or hours
    Time Indexed
    • Enter days or hours
    Time Received
    • Enter days or hours
    Token Issuer

    Select from the following pre-defined values:

    • AD Federation Services
    • Azure AD
    Url
    • Enter an associated value
    User (Actor)
    • Enter an associated value
    User Agent
    • Enter an associated value
    User Display Name
    • Enter an associated value
    User DN
    • Enter an associated value
    User Down-level Logon Name
    • Enter an associated value
    User Id
    • Enter an associated value
    User is Administrator

    Select from the following pre-defined values:

    • False
    • True
    • Unknown
    User Key
    • Enter an associated value
    User Mail
    • Enter an associated value
    User Organizational Unit
    • Enter an associated value
    User Session Detail

    Select from the following pre-defined values:

    • Computer lock/unlock
    • Computer restart/shutdown
    • Incorrectly finished
    • Screensaver
    • Started before session monitoring service
    • Terminal services connection
    • User logon/logoff
    • User switch
    User Shared With
    • Enter an associated value
    User SID
    • Enter an associated value
    User Type
    • Enter an associated value

    Documentation Roadmap

    The On Demand Global Settings User Guide contains the documentation for tasks that apply to all On Demand modules. This includes:

    • Signing up for Quest On Demand
    • Managing Organizations and Regions
    • Tenant Management
    • Configuration settings (Permissions and subscription information)
    • Audit logs

    Each management module, such as On Demand Audit, contains its own user guide and release notes that contain the following module -specific content:

    • The Release Notes contain a release history and details new features, resolved issues, and known issues.
    • The User Guide contains descriptions and procedures for the tasks you can perform with the management tool.

    Additional resources

    Related Documents