立即与支持人员聊天
与支持团队交流

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and alert plans Auditing Azure Active Directory Auditing Office 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Working with categories

When you create a category, you have the option of selecting whether it will be private or shared.

  • Private categories are only visible to the individual who created them.
  • Shared categories are visible to all On Demand Audit users and allow for collaboration with multiple users from the same organization.

By default, the following categories are available:

  • All Private Searches: All private searches belonging to the signed-in user.
  • All Searches: All configured searches.
  • Active Directory: All Active Directory events in the last 24 hours, 7 days, and 30 days.
  • Active Directory Federation Services: Sign-ins and configuration changes made through Active Directory Federation Services.
  • All Events: All events in the last 24 hours and 7 days.
  • Azure Active Directory: Azure Active Directory application, directory, group, role, self-service password, user created, user deleted, and user events in the last 7 days.
  • Best Practices: Sharing operations on important file types and Teams guest access events.
  • Group Policy: Group Policy events.
  • Logon Activity: Logon activity events.
  • Office 365: Office 365 and SharePoint online events.
  • On Demand Audit: All On Demand audit and alert events.
  • Teams: Teams user and administrator activity events.
  • My searches: A built-in private category.

To create a category

NOTE:

  • Private category names must be unique among all categories for each user.

  • Shared category name must be unique among all shared searches in all categories in the organization.

  1. Under the Searches tab, click Add in the Categories field.
  2. Enter the category name.
  3. Select whether the category is private or shared.
  4. Click Add.

To assign a search to a new category

  1. Under the Searches tab, select the search.
  2. Click the pencil icon to modify the search.
  3. Drop down the Category field and select the required category.
  4. Click Save .

To edit the name of a category

  1. Under the Searches tab, select the category.
  2. Highlight the category, and click the pencil icon to the left of the category.
  3. Enter a new name for the category and click Save.

Working with alerts and alert plans

Alerts and their associated alert plans allow those responsible for the security of your environment to stay on top of changes and activities as they occur.

 

Through the Alerts view you can:

  • View the number of alerts created in the last 24 hours for each search.
  • View the number of associated alert plans.
  • Enable, disable, and remove alerts.
  • Add and remove associated alert plans.
  • Review searches that have alerts created for them.
  • Select an information icon to see when shared alerts were created, last saved, and by whom.

Through the Alert Plans view you can:

  • View all the alerts associated with each alert plan and the number of alerts it includes.
  • See whether the alert plan it is private (only visible to the individual who created it) or shared (visible to all On Demand Audit users allowing for collaboration with multiple users from the same organization).
  • Select an information icon to see when alert plans were created, last saved, and by whom.
  • Add, edit, and remove alert plans.

For details, see:

Managing alerts and alert plans

Through alerts you are able to receive detailed information about vital changes and activities as they occur. The associated alert plans allow you to configure who will receive the alerts so that they can take the appropriate action to address the outlined risks to your environment.

 

NOTE:

  • You can select to assign any number of alert plans to an alert.

  • When you create or modify an alert plan, you have the option of selecting whether it will be private or shared.

  • When enabling or editing an alert for a private search, only private alert plans can be used or created.
  • When enabling or editing an alert for a shared search, only shared alert plans can be used or created.

  • An alert plan cannot be removed until all alerts linked to it are removed or reassigned.

To create an alert with an associated alert plan

  1. Under the Searches tab, select the search.
  2. Click Alert.
  3. Configure the alert plan to associate with the alert.
To use an existing alert plan, select it and click Save.

To create and enable a new alert plan, enter a name for it, and select whether it will be private or shared. Next, select the link to enter the email recipients for the alert, and click Save.

To edit an alert

  1. Under the Alerts tab, select Alerts, select the required alert, and click Edit Alert. (You can also edit an alert from the Alert Plans view.)

  2. Add and remove the alert plans associate with the alert as required.

    1. To add existing alert plan, select it and click Save.
    2. To remove an existing alert plan, clear the check box , and click Save.
    3. To create and enable a new alert plan, enter a name for it, and select whether it will be private or shared. Next, select the link to enter the email recipients for the alert, and click Save.

To remove an alert

  1. Under the Alerts tab, select Alerts.
  2. Select the required alert, and click the X icon to delete it.

To create an alert plan

  1. Under the Alerts tab, select Alert Plans.
  2. Click New Plan.
  3. Enter a name for the plan, and select whether it will be private or shared. Next, select the link to enter the email recipients for the alert, and click Save.
  4. Click Send Test and OK to verify that a test alert is sent to the appropriate recipients.

To edit an alert plan

  1. Under the Alerts tab, select Alert Plans, and Edit Plan.

  2. Edit the alert recipients as required, and click Save.

To rename an alert plan

  1. Under the Alerts tab, select Alert Plans.
  2. Select the required alert plan, click in the name field, rename as required, and click Save.

To remove an alert plan

  1. Under the Alerts tab, select Alert Plans.
  2. Select the required alert plan, and click the X icon to delete it.
 
 
 

Using built in alerts and alert plans

On Demand Audit includes built in alerts and alert plans to ensure that you are kept up to date on critical activity within your organization. All searches within the Audit Health, Anomaly Activity, and Bloodhound Tier Zero assets categories are alert-enabled and linked to the associated built in alert plan.

NOTE:

  • You must add yourself to the built in alert plan to receive notifications. See Managing alerts and alert plans for details on editing alert plans and alerts.
  • Built in alert plans cannot be deleted; you can, however, enable and disable the alerts as required.

 

The following built in alert plans are available:

  • Audit Health
  • Anomaly Activity

  • Tier Zero

The following built in alerts are available and enabled:

  • All anomaly detected events in past 30 days

  • All Azure Tier Zero AD risk events in the past 60 days

  • All Azure Tier Zero application changes in the past 60 days

  • All Azure Tier Zero group changes in the past 60 days

  • All Azure Tier Zero principal logons in the past 60 days

  • All Azure Tier Zero role changes in the past 60 days

  • All Azure Tier Zero service principal changes in the past 60 days

  • All Azure Tier Zero tenant level and directory activity in the past 60 days

  • All Azure Tier Zero user changes in the past 60 days

  • All Tier Zero computer changes in the past 60 days

  • All Tier Zero domain and forest configuration changes in the past 60 days

  • All Tier Zero group changes in the past 60 days

  • All Tier Zero group policy item and object changes in the past 60 days

  • All Tier Zero user changes in the past 60 days

  • Local logons to Tier Zero computers in the past 60 days

  • Security changes to Tier Zero domain objects in the past 60 days

  • Security changes to Tier Zero group objects in the past 60 days

  • Security changes to Tier Zero group policy objects in the past 60 days

  • Security changes to Tier Zero computer objects in the past 60 days

  • Security changes to Tier Zero user objects in the past 60 days

  • Tier Zero user logons to computers that are not Tier Zero in the past 60 days

  • Change Auditor Installation connectivity events in the past 30 days

  • Change Auditor Installation setting changes in the past 30 days

  • Change Auditor Installation upgrade events in the past 30 days

  • Service activity changes in the past 30 days

  • Service auditing enabled or disabled events in the past 30 days

  • Subscription expiring events in the past 90 days
  • Unusual increase in tenant sign-in failure events in the past 30 days
  • Unusual increase in AD account lockout events in the past 30 days
  • Unusual increase in successful tenant sign-in events in the past 30 days
  • Unusual increase in failed AD change events in the past 30 days
  • Unusual increase in permission changes to AD object events in the past 30 days
  • Unusual increase in files shared from OneDrive and SharePoint events in the past 30 days
  • Unusual increase in Office 365 activity by guest user events in the past 30 days
  • Unusual increase in Office 365 activity by anonymous user events in the past 30
  • Unusual increase in Teams guest participant events in the past 30 days

 

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级