Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Office 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Auditing Azure Active Directory

On Demand Audit simplifies the audit process by tracking, auditing, and reporting on activity that corresponds to the events in the Azure Active Directory audit logs, sign-in activity report, and risky sign-ins report.

NOTE: An Azure Active Directory Premium (P1) license or higher is required for On Demand Audit to audit sign-in and Azure Active Directory Premium (P2) license or higher to audit risky sign-in activity.

You can generate intelligent and in-depth reports, protecting you against policy violations and avoiding the risks and errors associated with day-to-day modifications.

For example, you can easily track and report on activities such as:

  • When users and groups are added to and removed from the directory.
  • When user and group attributes are changed.
  • Successful and failed logins.
  • Suspicious sign-in activity.

Event collection and Azure Active Directory subscription

Historical auditing is dependent on your Azure Active Directory subscription.

Subscription On Demand AuditEvent Collection
Azure Active Directory license Azure AD - Audit Log historical events in the last 7 days
Azure Active Directory premium license (Optional) Azure AD - Audit Log historical events in the last 30 days
Azure Active Directory premium license (Required) AzureAD - Sign-ins historical events in the last 30 days

Azure Active Directory Premium license (Required)

 AzureAD - Risky Sign-ins historical events in the last 90 days

NOTE: Azure Active Directory Premium P2 subscription is required to include the Risk Level and Risk Detail information in events.

Working with Azure Active Directory Searches

On Demand Audit provides numerous Azure Active Directory built in searches that allow you to locate and report on the Azure Active Directory data. If required, you can also easily create custom searches to locate specific information that is of interest to you.

There are numerous columns, filters, and pre-defined values that you can use to help you find the information you need to secure your environment.

See Creating a custom search and Appendix A: Working with search columns and filters for more details.

Azure Active Directory- specific columns

The following columns are available to display additional Azure Active Directory information:

Audit module Columns
Azure Active Directory - Audit Log
  • Azure AD Activity Type
  • Azure AD Activity Operation Type
  • Azure AD Result Description
  • Azure AD Category
Azure Active Directory Sign-ins
  • Error Code
  • Failure Reason
  • Location
Azure Active Directory Risky Sign-ins
  • RiskEventStatus
  • RiskEventId
  • RiskEventType
  • RiskLevel
  • RiskEventDateTime
  • PreviousCity (impossible travel risk events only)
  • PreviousState (impossible travel risk events only)
  • PreviousCountry (impossible travel risk events only)
  • PreviousSignInDateTime (impossible travel risk events only)
  • PreviousIpAddress (impossible travel risk events only)
  • PreviousLocation (impossible travel risk events only)
  • RiskEventDetails
  • MalwareName
  • isAtypicalLocation

Working with Azure Active Directory events with multiple targets

To help filter searches and fine tune the results, the following Azure Active Directory group membership, group ownership, and role membership activity has been split so that a single event is reported based on the target and subject

Group Membership Event Target Subject

Add member to group

Group being modified

User or group added to a group

Add group membership User or group added to a group Group being modified

Remove member from group

Group from which a user or group is removed

User or group being removed from a group
Remove group membership User or group being removed from a group Group from which the user or group is removed
Add owner to group Group that is modified User added as group owner
Group ownership assigned User added as group owner Group that is modified
Remove owner from group Group that is modified as a result of a removed owner User removed as group owner
Group ownership removed User removed as group owner Group that is modified as a result of a removed owner

 

Role Event Target Subject
Add member to role Role to which a user is added User added to the role
Role assignment added User added to a role Role to which a user is added
Remove member from role Role from which a user is removed User removed from a role
Role assignment removed User removed from a role. Role from which a user is removed
Add eligible member to role Role to which a user is added User added to a role
Role assignment added to eligible member User added to a role Role to which a user is added

Additional filters

You can, for example, create a search for all group membership events and see distinct events for both the group you are adding a user to and the user you are adding to the group. Using the target to filter your searches allows you to pinpoint the activity by specific users, and changes to critical groups and roles. See Appendix A: Working with search columns and filters for a complete list of available filters.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating