Chat now with support
Chat with Support

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Office 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Monitoring sign-in trends

The Sign-ins tile allows you to quickly see the successful and failed sign-ins over the last 7 days. You can select monitor trends for all sign-ins or select only those that you are interested in.

To add and remove the types of sign-in trends displayed:

  1. Expand the drop-down list and choose the type of sign-ins to display.
  2. Select to show all or successful or failed Azure Active Directory sign-ins, Active Directory authentications, and Windows interactive logons.

If you have selected to show "All" sign-in types, any services added at a later date will automatically be selected and displayed in the dashboard.


NOTE: Sign-in activity is gathered and displayed based on the services that you have selected to audit.

See Configuring tenant auditing for details on selecting services to audit and Change Auditor Integration for details on accessing on premises events.


Audited Service Sign in events

Change Auditor / Logon Activity

  • Active Directory authentications - Successful events
  • Active Directory authentications - Failed events
  • Windows interactive logons - Successful events
  • Windows interactive logons - Failed events

Azure Active Directory - Sign-in

  • Azure Active Directory sign-ins - Successful events
  • Azure Active Directory sign-ins - Failed events

Searching for specific event data (Quick Search)

Performing a quick search allows you to search through all events based on a specific value, term, or keyword.

NOTE: The results returned will only include activity from the last 365 days.

To search for data within an event

  1. Enter the search term in the Quick Search box and click the magnifying glass icon.

The resulting lists display all events that have a value matching the search term or value, sorted by the time detected. The search terms are highlighted in the search results and event details to allows you to quickly scan for matches.

NOTE: You can also export the search results to a .csv or zip file by selecting the Export button. The location for the file is determined by your browser settings.

Working with critical activity

The Critical Activity page displays a full list of security-related activity, including anomaly detection for unusual spikes in activity, that may indicate a threat to your organization.

By default, the activity is displayed based on priority from high to low. You can sort and filter the list based on priority, critical activity, and event count and select to hide or remove specific events from the display.

From this page, you can see tailored visualizations and metrics to provide more context about the activity and related search and a high-level overview of the item.

This information helps determine if the activity is expected behavior, an actual issue. Anomaly detection allows you to gain further insight into configuration issues which could impact user experience and service availability and help identify compromised devices or malicious activity.


  • Any detected anomalies include an exclamation point in the icon.
  • As events are analyzed and the baselines are updated, the data in the charts will update accordingly. Because of this, some items may disappear in the critical activity pane if they no longer are included in the activity spike.

  • Anomaly detection depends on the users' a time zone. As a result, users within the same organization may see a different set of anomalies.

To view critical activity and configure the display:

  1. Select Critical Activity, and click the activity of interest. When you select an activity, a chart displays information by percentage of user, target, or activity or by number of events per target. For anomalies and unusual spikes in activity, the resulting chart displays the baseline (predicted value), anomalies (unusual increase), and total amounts of activity. For all other critical activity the targets associated with the event are displayed in a donut chart. You can select which targets to include in the visualization by selecting (and de-selecting) entries from the legend.
  2. Click on any section of the chart for specific search details, or select View All Events to see all related searches.
  3. If you select a section of the donut chart or a data point on the time series chart for an anomaly, the filtered search will display the associated visualization so that you can quickly view the details of the activity.

  4. If required, select Dismiss Activity to remove the reported results until the next activity is detected or just select to hide future occurrences of this event.
  5. If you have hidden any events and want them added back to the display, select Edit Hidden Items, click the events that you want added back to the view, Remove Selected Items, and Save.
  6. To filter the list of critical events, select Filter, choose if you want to filter on priority (High, Medium, Low), specific critical activity, or number of events.

Working with searches

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating