Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration Working with On Demand Audit Appendix A: Working with Filters Documentation Roadmap

Configuring tenant auditing

You need to configure tenant auditing by selecting the services to audit. You can select to audit:

  • All service
  • Audit Azure Active Directory - Audit Logs
  • Azure Active Directory - Sign-ins. (Azure Active Directory - Sign-ins includes risk events.)
  • Exchange Online - Administrative activity
  • Exchange Online - Mailbox activity
  • OneDrive for Business
  • SharePoint Online
  • Teams

Once selected, the Audit homepage card displays the audited services with the number of events in the last hour.

NOTE: You need to enable auditing of Office 365 mailboxes to audit Exchange Online. For more information, see Microsoft documentation.

NOTE: You can audit multiple tenants, and each can have a distinct auditing configuration.

If a tenant is added to multiple On Demand organizations, the tenant auditing configuration is unique for each organization and events are collected and stored for each organization.

To configure auditing

  1. Log in to On Demand, and select Auditing.
  2. Click Go on the Audit module.
  3. Select the services to audit.
  4. Click Save.
The configuration is added to Azure and events will be collected for the selected services. The configuration is checked every 5 minutes to see which activities to add to the database.
 

NOTE: If a service is disabled or consent is revoked, events collection stops. If auditing is re-enabled, events are collected from the last collected event (or last available event).

 

 

Historical event collection

Historical event collection is dependent on the type of license that you are using:

NOTE: If you are currently auditing Office 365 services, any additional Office 365 service added at a later date will not have historical events gathered.

  • For a trial license Azure Active Directory, Office 365, and Change Auditor historical event collection is restricted to the 24 hours before the service is added.
  • When you change to a paid subscription, historical event collection is based on when the Office 365 and Azure Active Directory service is first enabled or the Change Auditor integration is configured.
    • Historical events are not collected for services that were enabled during a trial subscription.
    • Historical events are collected for services that were not enabled during the trial subscription period.
    • If you disable a service during a trial period, change to a paid subscription, and enable the service again historical events will not be collected

See the following table for historical event collection details:

Service Changing from a trial license to a paid subscription

Office 365

  • Exchange Admin activity
  • Mailbox activity
  • Sharepoint Online
  • OneDrive for Business
  • Teams

For services that were not enabled with a trial license, historical events are collected for past 7 days.

Azure Active Directory

  • Audit Logs
  • Sign-ins (and risk events)

For services that were not enabled with a trial license, historical events are collected for either 7 or 30 past days, depending on the Azure Active Directory report retention policies.

Change Auditor

  • Active Directory
  • Group Policy
  • Logon Activity

For services that were not enabled with a trial license, historical events are collected based on what is configured in Change Auditor.

Adding a user to an organization

If you are the On Demand administrator or the owner of the On Demand Audit subscription, you can add users to an existing organization so they can access the audit data. If you are not the subscription owner or administrator, contact your On Demand administrator for access.

When you add a user to an organization, you also assign one or more roles. The role assignment determines what permission level a user has and ultimately, what tasks the user can perform. Assigning roles and setting user permissions is referred to as access control. See On Demand Audit Access Control roles.

To add a user to an organization

  1. Log in to On Demand, and select the required organization.
  2. Select Access Control | Users.
  3. Under User Name, enter the user's email address.
  4. Under Assigned Role, select the required role.
  5. Click Add User.

On Demand Audit Access Control roles

Each access control role has a specific set of permissions that determines what tasks a user assigned to the role can perform . Your Quest On Demand organization comes configured with a number of default roles. The default role permissions settings cannot be changed, but you can create custom roles with specific permission settings to align with your company policies. For more information, see Adding users to an organization in the On Demand Global Settings User Guide.

The following default roles are available to help you manage your security and compliance auditing with On Demand Audit:

  • Audit Administrator role allows full access to On Demand Audit.
  • Audit Operator role allows users to manage searches and create alerts.
Role Permission Details
Audit Administrator
  • Can manage alert plans (View and manage alert plans, including creation and deletion.)
  • Can manage alerts (View, manage, create, and delete alerts, view the list of alert plans including their detailed configuration.)
  • Can export search results (Can export search results to a csv or csv.zip file.)
  • Can Manage Azure AD Tenant Configurations for Audit (View and modify the Office 365 and Azure Active Directory tenant configuration for On Demand Audit.)
  • Can Manage Change Auditor Installation Configuration (View and modify the configuration for Change Auditor installations that are connected to the organization. This includes adding and removing installations in the organization.)
  • Can manage private searches ( Create and modify private searches and manage search categories.)
  • Can run private searches (Run and preview searches.)
  • Can run search visualization (Run a search visualization.)
  • Can run shared searches (Run and preview shared searches.)
  • Can view dashboard (View the shared dashboard for the organization.)
  • Can view event retention settings (View the settings for event retention.)
  • Can view shared searches (View the list of shared searches including the definition.)
  • Can run quick search searches (Run quick searches against all data.)
  • Can view event details (Allows the viewing of all event details.)
Audit Operator
  • Can manage alerts (View, manage, create, and delete alerts, view the list of alert plans including their detailed configuration.)
  • Can export search results (Can export search results to a csv or csv.zip file.)
  • Can manage private searches ( Create and modify private searches and manage search categories.)
  • Can run private searches (Run and preview searches.)
  • Can run search visualization (Run a search visualization.)
  • Can run shared searches (Run and preview shared searches.)
  • Can view dashboard (View the shared dashboard for the organization.)
  • Can view event retention settings (View the settings for event retention.)
  • Can view shared searches (View the list of shared searches including the definition.)
  • Can run quick search searches (Run quick searches against all data.)
  • Can view event details (Allows the viewing of all event details.)
Related Documents