立即与支持人员聊天
与支持团队交流

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Teams built in searches

On Demand Audit provides the following Teams searches:

  • Teams app events in the past 7 days

  • Teams bot events in the past 7 days

  • Teams channel events in the past 7 days

  • Teams client configuration changes in the past 30 days

  • Teams connector events in the past 7 days

  • Teams events in the past 7 days

  • Teams guest access configuration changes in the past 30 days

  • Teams guest members added in the past 7 days

  • Teams member role changes in the past 7 days

  • Teams member changes in the past 7 days

  • Teams notification and feeds policy changes in the past 30 days

  • Teams organization setting changes in the past 30 days

  • Teams tab events in the past 7 days

  • Teams targeting policy changes in the past 30 days

  • Teams team created events in the past 30 days

  • Teams team deleted events in the past 30 days

  • Teams team setting changes in the past 7 days

  • Teams user sign-in events in the past 7 days

Security Guardian built in searches

On Demand Audit provides the following Security Guardian built in searches:

  • All Security Guardian events in the past 24 hours

  • All Security Guardian events in the past 7 days

  • SG Detected Anomaly indicators in the past 30 days

  • SG Detected TTP indicators in the past 30 days

  • SG Hygiene indicators in the past 30 days

  • SG Detected Protected indicators in the past 30 days

  • SG Privileged Entra ID objects added in the past 30 days

  • SG Privileged Entra ID objects certified in the past 30 days

  • SG Privileged Entra ID objects removed in the past 30 days

  • SG Tier Zero objects added in the past 30 days

  • SG Tier Zero objects removed in the past 30 days

  • SG Tier Zero objects certified in the past 30 days

  • SG all indicators muted and unmuted in the past 30 days

  • SG all objects muted and unmuted in the past 30 days

  • SG all Tier Zero objects protected in the past 30 days

  • SG all AD DB objects protected in the past 30 days

Creating a custom search

Custom searches allow you to locate and report on the data that is of interest to you. The associated search preview updates as you construct a search to ensure you are getting the desired results. For options, see Customizing the search display.

NOTE:

  • Private search names must be unique among all categories for each user.

  • Shared search name must be unique among all shared searches in all categories in the organization

To create a search

  1. Under the Searches tab, click New Search.
  2. Enter a name for the search.
  3. Click Add to enter the required search criteria.
  4. Select as many filters as required. Search terms are highlighted in the preview (and search results and event details) to allows you to quickly scan for matches.
  5. Click Edit Columns to arrange, add, and remove the columns displayed in the search. See Customizing the search display.
  6. Click Save.By default, the new search will be created in the category you have selected when clicking New Search. If required select a different category.
  7. Select whether this is a private or shared search. Working with private and shared searches.
  8. Click Save.
  9. If required, click Alert, select the required notification template (or create a new one) to notify the required individuals , click Save. See Working with alerts and notification templates

Available filters

The available string operators include:

  • equals
  • does not equal
  • contains
  • does not contain
  • in
  • not in
  • starts with
  • does not start with
  • ends with
  • does not end

The available integer operators for sign-in events:

  • equals_number
  • does_not_equal_number
  • greater_than
  • greater_than_or_equals
  • less_than
  • less_than_or_equals
  • between_number

The available date and time operators include:

  • during last number of days or hours (By default, this is set to the last 7 days for all new searches.)
  • between
  • before
  • after

Copying an existing search

Copying an existing search allows you to take advantage of existing settings and modify as required.

  1. Under the Searches tab, select the search.
  2. Click the copy icon. The search is created with "Copy" appended to its name.
  3. Enter a new name and change the category, if required, by selecting a new category from the drop don list.
  4. Select whether this is a private or shared search. See Working with private and shared searches.
  5. Click Copy.

The new search is now available to edit as required.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级