Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

On Demand Audit Current - User Guide

Table of Contents

Introducing On Demand Audit

Quest On Demand Overview Quest On Demand Audit Overview

Accessing Quest On Demand Audit Supported regions

Configuring On Demand Audit

Working with tenants Granting required consent Configuring tenant auditing Historical event collection Adding a user to an organization On Demand Audit Access Control roles

Change Auditor Integration

Customer data storage Registering a Change Auditor Installation Pausing Change Auditor event forwarding Resuming Change Auditor event forwarding Removing a Change Auditor Installation Reviewing the status of your Change Auditor installation

Working with On Demand Audit

Using the dashboard Searching for specific event data (Quick Search) Working with searches

Running a search Using built in searches

Active Directory Built in searches Azure Active Directory built in searches Best Practices built in searches Group Policy built in searches Logon Activity built in searches Office 365 built in searches Teams built in searches

Creating a custom search Copying an existing search Exporting a search Creating a search from an existing search Creating or filtering a search based on event details Customizing the columns displayed in a search Visualizing searches Viewing search results and event details Copying event details Modifying a search Deleting a search Working with categories

Working with alerts and alert plans

Managing alerts and alert plans

Auditing Azure Active Directory

Event collection and Azure Active Directory subscription Working with Azure Active Directory Searches Working with Azure Active Directory events with multiple targets Auditing risk events

Auditing Office 365

Appendix A: Working with Filters Documentation Roadmap

Group Policy built in searches

Working with On Demand Audit > Working with searches > Using built in searches > Group Policy built in searches

On Demand Audit provides the following Group Policy built-in searches:

Group Policy all events in the past 7 days
Group Policy all restricted group changes in the past 30 days
Group Policy all security changes in the past 30 days

Logon Activity built in searches

Working with On Demand Audit > Working with searches > Using built in searches > Logon Activity built in searches

On Demand Audit provides the following logon activity built-in searches:

Logon Activity all authentication activity in the past 7 days
Logon Activity all excessive Kerberos ticket lifetime events in the past 30 days
Logon Activity all failed logon activity in the past 7 days
Logon Activity all interactive logon activity in the past 24 hours
Logon Activity all Kerberos authentication activity in the past 24 hours
Logon Activity all logon activity in the past 24 hours
Logon Activity all logon session activity in the past 24 hours
Logon Activity all NTLM version 1 logons in the past 7 days (Note: The associated event class is disabled by default in Change Auditor.)
Logon Activity all remote logon activity in the past 24 hours

Office 365 built in searches

Working with On Demand Audit > Working with searches > Using built in searches > Office 365 built in searches

On Demand Audit provides the following Office 365 built-in searches that are based on the most common and complex requests for information

Email forwarding enabled in the past 7 days
Office 365 activity from ad-hoc external recipients in the past 7 days
Office 365 events from EXT Users in the past 7 days
Office 365 events in the past 7 days
Office 365 Exchange Online administrative cmdlets executed in the past 7 days
Office 365 Exchange Online events in the past 7 days
Office 365 Exchange Online mailbox events in the past 7 days
Office 365 Exchange Online mailbox login activity in the past 24 hours
Office 365 Exchange Online mailbox non-owner activity in the past 7 days
Office 365 OneDrive for Business events in the past 7 days
Office 365 OneDrive for Business file activity events in the past 7 days
Office 365 OneDrive for Business folder activity events in the past 7 days
Office 365 SharePoint Online events in the past 7 days
Office 365 SharePoint Online file activity events in the past 7 days
Office 365 SharePoint Online folder activity events in the past 7
OneDrive for Business and SharePoint Online anonymous link events in the past 180 days

Teams built in searches

Working with On Demand Audit > Working with searches > Using built in searches > Teams built in searches

On Demand Audit provides the following Teams searches:

Teams app events in the past 7 days
Teams bot events in the past 7 days
Teams channel events in the past 7 days
Teams client configuration changes in the past 30 days
Teams connector events in the past 7 days
Teams events in the past 7 days
Teams guest access configuration changes in the past 30 days
Teams guest members added in the past 7 days
Teams member role changes in the past 7 days
Teams member changes in the past 7 days
Teams notification and feeds policy changes in the past 30 days
Teams organization setting changes in the past 30 days
Teams tab events in the past 7 days
Teams targeting policy changes in the past 30 days
Teams team created events in the past 30 days
Teams team deleted events in the past 30 days
Teams team setting changes in the past 7 days
Teams user sign-in events in the past 7 days

Related Documents

© 2020 Quest Software Inc. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy