立即与支持人员聊天
与支持团队交流

On Demand Audit Current - Release Notes

Release Notes

Quest® Quest On Demand Audit

Release Notes

July, 18 2024

These release notes provide information about Quest On Demand Audit deployments.

On Demand Audit provides extensive auditing of critical activities and detailed reports about vital changes taking place in Office 365 Exchange Online, SharePoint Online, and OneDrive for Business. Continually being in-the-know helps you to prove compliance, drive security, and improve up time while proactively auditing changes to configurations and permissions.

Integrating with Change Auditor, provides a single view of activity across hybrid Microsoft environments and turns on-premise events into rich visualizations to investigate incidents faster. Events sent to On Demand Audit include historical events gathered up to 30 days prior to upgrade to Change Auditor 7.0.0 (or higher).

On Demand Audit audits:

  • When Exchange Online mailboxes are created, deleted, and accessed.
  • Permission changes to see which users are granted access to a mailbox.
  • Mailbox activity by non-owner such as messages sent, read, deleted, and folders deleted
  • Mailbox activity by owner for sensitive and high value mailboxes.
  • When files and folders are accessed, created, deleted, uploaded, moved, renamed, and checked in and out of SharePoint Online and OneDrive for Business sites.
  • When user and group attributes are changed.
  • When users and groups are added to and removed from the directory.
  • Successful and failed logins. 
  • Suspicious sign-in activity.
  • Teams user and administrator activity.

 

New features

New features in this deployment:

 

  • New Security Guardian built in searches:

    • SG Hygiene indicators in the past 30 days

    • SG Detected Protected indicators in the past 30 days

  • Renamed searches:

    • SG Indicators of Compromise in the past 30 days renamed to SG Detected Anomaly indicators in the past 30 days.

    • SG Indicators of Exposure in the past 30 days renamed to SG Detected TTP indicators in the past 30 days.

  • Additional values added to the Activity Category filter:

    • Detected Anomaly

    • Detected Anomaly Item

    • Detected TTP

    • Detected TTP Item

    • Hygiene

    • Hygiene Item

    • T0

    • T0 Item

  • Additional search filter categories:

    • First Discovered

    • Indicator

    • Is Initial Scan

    • Tier Zero Source

    • Tiear Zero Status

  • Ability to edit the layout for the Quick Search to visualize search results.

 

 

Deprecated features

The ability to sign in with a Quest account has been deprecated. On June 4th, 2024, authentication to On Demand will only be available through Microsoft Identities. You can, however, move to Microsoft Identity now by selecting to Sign in with Microsoft from the On Demand landing page.

Authenticating through Microsoft Entra ID provides more native granular control and allows you to manage your configuration from a central location. This change allows for advanced security layers that you can configure from your own conditional access policies.

Release History

The following lists the new features and resolved issues by deployment.

Current Deployment

July 18, 2024
Enhancement ID
Public and back end searches updated to match new nomenclature and changed fields. 486395
Ability to edit the layout for the Quick Search to visualize search results. 463279

Previous Deployments

February 29, 2024

 

Enhancement ID
Security Guardian built in searches. 447542

BloodHound Enterprise alert plan renamed to Tier Zero alert plan.

472122
January 24, 2023
Enhancement ID

Visualization added to the layout when an anomaly detection data point is selected in the critical activity tile.

386638

 

October 18, 2022
Enhancement ID

The following audit health issues 'Hide' action has been changed to 'Dismiss':

  • No connection in last 24 hours by Change Auditor installation

  • No Office 365 events in last 24 hours

  • No Azure AD events in last 24 hours

  • No Azure AD - Sign-in events in last 24 hours

  • No Change Auditor events in last 24 hours

  • No connection in last 24 hours by Change Auditor

  • SpecterOps BloodHound Enterprise connection failed

375121

 

October 4, 2022
Enhancement ID

Ability to monitor when a Kerberos service ticket was created with unsafe encryption:

  • "Logon Activity all Kerberos service tickets created with unsafe encryption type in the past 30 days" built in search.

  • Kerberos service ticket created with unsafe encryption type identified as critical activity.

382166

 

September 20,2022

 

Enhancement ID
Ability to configure the integration with SpecterOps BloodHound Enterprise. 372735
Ability to remove a SpecterOps BloodHound Enterprise configuration. 376219
Ability to see the SpecterOps BloodHound Enterprise configuration status. 364550
Ability to monitor the SpecterOps BloodHound Enterprise integration through the dashboard's Audit Health tile. 364551
Ability to edit a SpecterOps BloodHound Enterprise configuration. 364546

BloodHound Tier Zero assets search category.

Additional search filters:

  • User is Tier Zero

  • Target is Tier Zero

SpecterOps BloodHound Enterprise (BHE) built in searches:

  • All Azure Tier Zero AD risk events in the past 60 days

  • All Azure Tier Zero application changes in the past 60 days

  • All Azure Tier Zero group changes in the past 60 days

  • All Azure Tier Zero principal logons in the past 60 days

  • All Azure Tier Zero role changes in the past 60 days

  • All Azure Tier Zero service principal changes in the past 60 days

  • All Azure Tier Zero tenant level and directory activity in the past 60 days

  • All Azure Tier Zero user changes in the past 60 days

  • All Tier Zero computer changes in the past 60 days

  • All Tier Zero domain and forest configuration changes in the past 60 days

  • All Tier Zero group changes in the past 60 days

  • All Tier Zero group policy item and object changes in the past 60 days

  • All Tier Zero user changes in the past 60 days

  • Local logons to Tier Zero computers in the past 60 days

  • Security changes to Tier Zero domain objects in the past 60 days

  • Security changes to Tier Zero group policy objects in the past 60 days

  • Security changes to Tier Zero computer objects in the past 60 days

  • Security changes to Tier Zero group objects in the past 60 days

  • Security changes to Tier Zero user objects in the past 60 days

  • Tier Zero user logons to computers that are not Tier Zero in the past 60 days

364558
SpecterOps BloodHound Enterprise alert plan that includes all the BloodHound Tier Zero assets searches. 374898
Audit Health item was added to remind users to subscribe to the SpecterOps BloodHound Enterprise alert plan. 378695

Once the configuration has been added, you can select the three vertical dots in the upper right-corner to refresh the configuration immediately, to edit the alert plan, or to read more about the benefits of integrating with SpecterOps BloodHound Enterprise.

381418

372936

370832

SpecterOps BloodHound Enterprise activity added to the Critical Activity tile:

  • Azure Tier Zero AD risk events
  • Azure Tier Zero application changes

  • Azure Tier Zero group changes

  • Azure Tier Zero principal logons

  • Azure Tier Zero role changes

  • Azure Tier Zero service principal changes

  • Azure Tier Zero tenant level and directory activity

  • Azure Tier Zero user changes

  • Local logons to Tier Zero computers

  • Security changes to Tier Zero computer objects

  • Security changes to Tier Zero domain objects

  • Security changes to Tier Zero group objects

  • Security changes to Tier Zero group policy objects

  • Security changes to Tier Zero user objects

  • Tier Zero computer changes

  • Tier Zero domain and forest configuration changes

  • Tier Zero group changes

  • Tier Zero group policy object changes

  • Tier Zero user changes

  • Tier Zero user logons to computers that are not Tier Zero

374896

 

July 29, 2022

Enhancement ID
Change Auditor event names are displayed for Security Change Detail events. 67331
On premises file and folder attribute change events are split into attribute added and attribute removed events 364277

Additional search filters:

  • Target is Global Catalog
  • Target is Exchange Server
364579
Correlated Activity search filters provide the pre defined values of "Yes" and "No" 368654
June 28, 2022
Enhancement ID

Ability to identify critical activity relating to Change Auditor File System events.

Additional built in searches:

  • FS all file changes with suspicious file extensions in the past 30 days
  • Unusual increase in share access permission changes in the past 30 days

  • Unusual increase in failed file access attempts in the past 30 days

  • Unusual increase in file deletes in the past 30 days

  • Unusual increase in file renames in the past 30 days

363604
Ability to see File System Logon Id detail for Windows file system events. 360573
File System built in searches for Windows, EMC, and NetApp events. 359522
NetApp and EMC folder and file "Permission changed" and "Inherited permissions changed" events are now displayed as a single "Permissions Updated" event. 358345
File retention of 30 days for all File System events. 177922

Ability to identify critical activity relating to on-premses and Active Directory Federation Services sign ins.

Additional built in searches:

  • Unusual increase in successful on-premises sign-ins in the past 30 days

  • Unusual increase in failed on-premises sign-ins in the past 30 days

  • Unusual increase in successful AD Federation Services sign-ins in the past 30 days

  • Unusual increase in failed AD Federation Services sign-ins in the past 30 days

365728
June 14, 2022
Enhancement ID
Identify critical activity relating to Active Directory Database access. 362643
Ability to audit Active Directory Database events to monitor the Active Directory database (NTDS.dit) file for possible unauthorized access attempts. This includes a new built in search (AD DB all events in the past 7 days) and the ability to filter searches on the Active Directory Database service. 362642
June 7, 2022
Enhancement ID
The Apply button on the Edit Layout flyout has been updated to Preview to reflect the actual function. 350662
File System added to the Top Active Users on the dashboard. 361676
May 12, 2022
Enhancement ID
Support for GCC tenants for organizations in the US region. 350974
Ability to select a donut chart for the search results visualization. 320192
Ability to select a bar chart for the search results visualization. 328121
March 15, 2022
Enhancement ID
Ability to audit adminCount attribute changed events. 328327

Ability to audit all SIDHistory attribute changes and all high severity SIDHistory attribute changes.

328325
Administrative privilege elevation detected activity added to the critical activity tile on the dashboard. 328328
Potential SIDHistory injection detected activity added to the critical activity tile on the dashboard.

328326

Domain level group policy linked changes added to the critical activity tile on the dashboard. 328320
Irregular domain controller registration detected (DCShadow) activity added to the critical activity tile on the dashboard. 328324
Ability to audit AD irregular domain controller registration events. 328323
Legend added to the donut chart that displays critical activity. 280484
Ability to audit Group Policy domain level linked change. 328322
AD user ServicePrincipalName attribute changes detected event added to the Critical Activity dashboard. 315396
Provisioning status check. 291656
Provisioning status check for a Change Auditor integration. 291657
February 1, 2022
Enhancement ID
AD User ServicePrincipalName attribute changes in the past 30 days built in search 315203
Ability to select a time series chart for the search results visualization. 318039
January 18, 2022
Enhancement ID
Ability to subscribe to Anomaly Activity and Audit Health alert plans directly from the Audit Health tile in the dashboard. 302112
Ability to easily preview and customize the columns that display in generated reports. 302838
Enhancement ID
281274
282927
Enhancement ID
Built in Audit Health and Anomaly Activity alerts plans and associated built in alerts for all searches within the Audit Health and Anomaly Activity categories. 289369
Enhancement ID
Ability to audit Change Auditor connection interrupted and Change Auditor connection resumed events. 280847
281046
261904
Enhancement ID
281276

Additional built in search under the Audit Health category: Subscription expiring events in the past 90 days

Additional search filters:

  • Subscription Name
  • Subscription Expiry Date
  • Subscription Type
282926
Enhancement ID
278731
280820
  280845
281273
自助服务工具
知识库
通知和警报
产品支持
下载软件
技术说明文件
用户论坛
视频教程
RSS订阅源
联系我们
获得许可 帮助
技术支持
查看全部
相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级