On Demand Audit provides the following Azure Active Directory built-in searches that are based on the most common and complex requests for information:
- Azure AD application events in the past 7 days
- Azure AD directory events in the past 7 days
- Azure AD events in the past 7 days
- Azure AD failed sign-in events in the past 7 days
- Azure AD group events in the past 7 days
- Azure AD group member changes in the past 7 days
- Azure AD group owner changes in the past 7 days
- Azure AD risk events in the past 7 days
- Azure AD role events in the past 7 days
- Azure AD role member changes in the past 7 days
- Azure AD self-service password management events in the past 7 days
- Azure AD sign-in events in the past 7 days
- Azure AD successful sign-in events in the past 7 days
- Azure AD tenant level configuration changes in the last 180 days
- Azure AD user created events in the past 7 days
- Azure AD user deleted events in the past 7 days
- Azure AD user events in the past 7 days
- Important changes for critical Azure AD directory roles in the past 7 days
- Objects added/removed from Azure AD groups in the past 7 days
- Objects added/removed from Azure AD roles in the past 7 days
- Users added/removed as owner of Azure AD groups in the past 7 days
On Demand Audit provides the following Best Practices built in searches:
- Azure AD successful application consent events in the past 30 days
- Sharing operations on important file types within past 7 days
- Teams guest access enabled or disabled in the past 30 days
On Demand Audit provides the following BloodHound Tier Zero assets built in searches:
-
All Azure Tier Zero AD risk events in the past 60 days
-
All Azure Tier Zero application changes in the past 60 days
-
All Azure Tier Zero group changes in the past 60 days
-
All Azure Tier Zero principal logons in the past 60 days
-
All Azure Tier Zero role changes in the past 60 days
-
All Azure Tier Zero service principal changes in the past 60 days
-
All Azure Tier Zero tenant level and directory activity in the past 60 days
-
All Azure Tier Zero user changes in the past 60 days
-
All Tier Zero computer changes in the past 60 days
-
All Tier Zero domain and forest configuration changes in the past 60 days
-
All Tier Zero group changes in the past 60 days
-
All Tier Zero group policy item and object changes in the past 60 days
-
All Tier Zero user changes in the past 60 days
-
Local logons to Tier Zero computers in the past 60 days
-
Security changes to Tier Zero domain objects in the past 60 days
-
Security changes to Tier Zero group objects in the past 60 days
-
Security changes to Tier Zero group policy objects in the past 60 days
-
Security changes to Tier Zero computer objects in the past 60 days
-
Security changes to Tier Zero user objects in the past 60 days
-
Tier Zero user logons to computers that are not Tier Zero in the past 60 days
On Demand Audit provides the following File System built in searches:
- FS all events in the past 7 days
- FS all permission and ownership changes to SYSVOL on domain controllers in the past 30 days
- FS all local share changes in the past 30 days
- FS all file and folder creates, deletes, and moves in the past 30 days
- FS all file and folder attribute changes, modifications, and renames in the past 30 days
- FS all file and folder auditing changes in the past 30 days
- FS all file and folder ownership changes in the past 30 days
- FS all file and folder permission changes in the past 30 days
- FS all file and folder failed access attempts in the past 30 days
- FS all file changes with suspicious file extensions in the past 30 days
