Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration Working with On Demand Audit Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Managing alerts and alert plans

Through alerts you are able to receive detailed information about vital changes and activities as they occur. The associated alert plans allow you to configure who will receive the alerts so that they can take the appropriate action to address the outlined risks to your environment.

 

NOTE:

  • You can select to assign any number of alert plans to an alert.
  • When you create or modify an alert plan, you have the option of selecting whether it will be private or shared.

  • When enabling or editing an alert for a private search, only private alert plans can be used or created.
  • When enabling or editing an alert for a shared search, only shared alert plans can be used or created.
  • An alert plan cannot be removed until all alerts linked to it are removed or reassigned.

To create an alert with an associated alert plan

  1. Under the Searches tab, select the search.
  2. Click Alert.
  3. Configure the alert plan to associate with the alert.
To use an existing alert plan, select it and click Save.

To create and enable a new alert plan, enter a name for it, and select whether it will be private or shared. Next, select the link to enter the email recipients for the alert, and click Save.

To edit an alert

  1. Under the Alerts tab, select Alerts, select the required alert, and click Edit Alert. (You can also edit an alert from the Alert Plans view.)
  2. Add and remove the alert plans associate with the alert as required.

    1. To add existing alert plan, select it and click Save.
    2. To remove an existing alert plan, clear the check box , and click Save.
    3. To create and enable a new alert plan, enter a name for it, and select whether it will be private or shared. Next, select the link to enter the email recipients for the alert, and click Save.

To remove an alert

  1. Under the Alerts tab, select Alerts.
  2. Select the required alert, and click the X icon to delete it.

To create an alert plan

  1. Under the Alerts tab, select Alert Plans.
  2. Click New Plan.
  3. Enter a name for the plan, and select whether it will be private or shared. Next, select the link to enter the email recipients for the alert, and click Save.
  4. Click Send Test and OK to verify that a test alert is sent to the appropriate recipients.

To edit an alert plan

  1. Under the Alerts tab, select Alert Plans, and Edit Plan.
  2. Edit the alert recipients as required, and click Save.

To rename an alert plan

  1. Under the Alerts tab, select Alert Plans.
  2. Select the required alert plan, click in the name field, rename as required, and click Save.

To remove an alert plan

  1. Under the Alerts tab, select Alert Plans.
  2. Select the required alert plan, and click the X icon to delete it.
 
 
 

Using built in alerts and alert plans

On Demand Audit includes built in alerts and alert plans to ensure that you are kept up to date on critical activity within your organization. All searches within the Audit Health and Anomaly Activity categories are alert-enabled and linked to the associated built in alert plan.

NOTE:

  • You must add yourself to the built in alert plan to receive notifications. See Managing alerts and alert plans for details on editing alert plans and alerts.
  • Built in alert plans cannot be deleted; you can, however, enable and disable the alerts as required.

 

The following built in alert plans are available:

  • Audit Health
  • Anomaly Activity

The following built in alerts are available and enabled:

  • Change Auditor Installation connectivity events in the past 30 days

  • Change Auditor Installation setting changes in the past 30 days

  • Change Auditor Installation upgrade events in the past 30 days
  • Service activity changes in the past 30 days

  • Service auditing enabled or disabled events in the past 30 days

  • Subscription expiring events in the past 90 days
  • Unusual increase in tenant sign-in failure events in the past 30 days
  • Unusual increase in AD account lockout events in the past 30 days
  • Unusual increase in successful tenant sign-in events in the past 30 days
  • Unusual increase in failed AD change events in the past 30 days
  • Unusual increase in permission changes to AD object events in the past 30 days
  • Unusual increase in files shared from OneDrive and SharePoint events in the past 30 days
  • Unusual increase in Office 365 activity by guest user events in the past 30 days
  • Unusual increase in Office 365 activity by anonymous user events in the past 30
  • Unusual increase in Teams guest participant events in the past 30 days
  • All anomaly detected events in past 30 days

 

Auditing Azure Active Directory

On Demand Audit simplifies the audit process by tracking, auditing, and reporting on activity that corresponds to the events in the Azure Active Directory audit logs, sign-in activity report, and risky sign-ins report.

NOTE: An Azure Active Directory Premium (P1) license or higher is required for On Demand Audit to audit sign-in and Azure Active Directory Premium (P2) license or higher to audit risky sign-in activity.

You can generate intelligent and in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.

For example, you can easily track and report on activities such as:

  • When users and groups are added to and removed from the directory.
  • When user and group attributes are changed.
  • Successful and failed logins.
  • Suspicious sign-in activity.

Event collection and Azure Active Directory subscription

Historical auditing is dependent on your Azure Active Directory subscription.

Subscription On Demand AuditEvent Collection
Azure Active Directory license Azure AD - Audit Log historical events in the last 7 days
Azure Active Directory premium license (Optional) Azure AD - Audit Log historical events in the last 30 days
Azure Active Directory premium license (Required) AzureAD - Sign-ins historical events in the last 30 days

Azure Active Directory Premium license (Required)

AzureAD - Risky Sign-ins historical events in the last 90 days

NOTE: Azure Active Directory Premium P2 subscription is required to include the Risk Level and Risk Detail information in events.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating