Logon Activity built in searches
Audit provides the following logon activity built in searches:
- AD FS All Active Directory Federation Services sign-ins in the past 24 hours
- AD FS All Failed Active Directory Federation Services sign-ins in the past 7 days
- AD FS All Successful Active Directory Federation Services sign-ins in the past 24 hours
- Logon Activity all authentication activity in the past 7 days
- Logon Activity all excessive Kerberos ticket lifetime events in the past 30 days
- Logon Activity all failed logon activity in the past 7 days
- Logon Activity all interactive logon activity in the past 24 hours
- Logon Activity all Kerberos authentication activity in the past 24 hours
- Logon Activity all Kerberos service tickets created with unsafe encryption type in the past 30 days
- Logon Activity all logon activity in the past 24 hours
- Logon Activity all logon session activity in the past 24 hours
- Logon Activity all NTLM version 1 logons in the past 7 days (Note: The associated event class is disabled by default in Change Auditor.)
- Logon Activity all remote logon activity in the past 24 hours
Microsoft 365 built in searches
Security Guardian provides the following Microsoft 365 built-in searches that are based on the most common and complex requests for information
- Email forwarding enabled in the past 7 days
- Microsoft 365 activity from ad-hoc external recipients in the past 7 days
- Microsoft 365 events from EXT Users in the past 7 days
- Microsoft 365 events in the past 7 days
- Microsoft 365 Exchange Online administrative cmdlets executed in the past 7 days
- Microsoft 365 Exchange Online events in the past 7 days
- Microsoft 365 Exchange Online mailbox events in the past 7 days
- Microsoft 365 Exchange Online mailbox login activity in the past 24 hours
- Microsoft 365 Exchange Online mailbox non-owner activity in the past 7 days
- Microsoft 365 OneDrive for Business events in the past 7 days
- Microsoft 365 OneDrive for Business file activity events in the past 7 days
- Microsoft 365 OneDrive for Business folder activity events in the past 7 days
- Microsoft 365 SharePoint Online events in the past 7 days
- Microsoft 365 SharePoint Online file activity events in the past 7 days
- Microsoft 365 SharePoint Online folder activity events in the past 7
- OneDrive for Business and SharePoint Online anonymous link events in the past 180 days
On Demand Audit built in searches
Audit provides the following On Demand Audit built in searches:
- All On Demand Audit configuration events in the past 30 days
- All On Demand Audit events in the past 30 days
- On Demand Audit notification template management events in the past 30 days
- On Demand Audit alert ran events in the past 30 days
- On Demand Audit alert rule management events in the past 30 days
- On Demand Audit all shared search and shared category management events in the past 30 days
Teams built in searches
Audit provides the following Teams searches:
- Teams app events in the past 7 days
- Teams bot events in the past 7 days
- Teams channel events in the past 7 days
- Teams client configuration changes in the past 30 days
- Teams connector events in the past 7 days
- Teams events in the past 7 days
- Teams guest access configuration changes in the past 30 days
- Teams guest members added in the past 7 days
- Teams member role changes in the past 7 days
- Teams member changes in the past 7 days
- Teams notification and feeds policy changes in the past 30 days
- Teams organization setting changes in the past 30 days
- Teams tab events in the past 7 days
- Teams targeting policy changes in the past 30 days
- Teams team created events in the past 30 days
- Teams team deleted events in the past 30 days
- Teams team setting changes in the past 7 days
- Teams user sign-in events in the past 7 days
