立即与支持人员聊天
与支持团队交流

On Demand Audit Current - User Guide

Introducing On Demand Audit Configuring On Demand Audit Change Auditor Integration SpecterOps BloodHound Enterprise Integration Working with On Demand Audit
Using the dashboard Searching for specific event data (Quick Search) Working with critical activity Working with searches Working with alerts and notification templates Auditing Azure Active Directory Auditing Microsoft 365
Appendix A: Working with Filters Documentation Roadmap Third-party contributions

Working with private and shared searches

When you create a search, you have the option of selecting whether it will be private or shared.

  • Private searches are only visible to the individual who created them.
  • Shared searches are visible to all On Demand Audit users and allow for collaboration with multiple users from the same organization.

NOTE:

  • The ability to set the search type as private or shared depends on your assigned access role within On Demand Audit. For details, see On Demand Audit Access Control roles
  • Private search names must be unique among all categories for each user.

  • Shared search name must be unique among all shared searches in all categories in the organization

  • All private searches (as well a searches under the My Searches category) are listed under the All Private Searches category.
  • Shared searches include an information icon that allows you to see when they were created, last saved, and by whom.

 

 

See Creating a custom search, Creating a search from an existing search, and Modifying a search

 

 

Running a search

Once On Demand Audit captures an event, you can view all available event data through searches. You can use custom searches based on your own criteria or built in searches that are configured to meet the most common requests. See Creating a custom search and Using built in searches.

NOTE: Custom user-built searches are identified by the following icon to the left of the search.

To run a previously saved or built in search

  1. Select the Searches tab.
  2. Locate the required search in the list of categories.
  3. To run the search, simply click it or highlight it and click the run (arrow) icon.
From here you can:

Using built in searches

On Demand Audit provides predefined searches which allow you to quickly retrieve valuable configuration change information from various perspectives. These are shared searches.

Although built in searches cannot be modified, you can create a new search based on it and customize the settings to suit your needs. See Creating a search from an existing search.

The following built in searches are available:

  • All Events category
    • All events in the past 24 hours
    • All events in the past 7 days

To run a built in search

  1. Select the Searches tab.
  2. Locate the search in the required category.
  3. Highlight the search and click the arrow icon to run it.
From here you can:

Active Directory Built in searches

If you have a Change Auditor installation registered with On Demand Audit, you will have access to the following Active Directory built-in searches:

  • AD all account lockout events in the past 7 days
  • AD all adminCount attribute changed events in the past 30 days

  • AD all attribute changes in the past 7 days
  • AD all computer events in the past 7 days
  • AD all domain controller events in the past 7 days
  • AD all events in the past 24 hours
  • AD all events in the past 7 days
  • AD all events including ActiveRoles/GPOADmin initiator in the past 7 days
  • AD all forest configuration events in the past 7 days
  • AD all inheritance settings changed events in the past 30 days

  • AD all objects deleted in the past 7 days
  • AD all OU events in the past 7 days
  • AD all replication events in the past 7 days
  • AD all schema configuration events in the past 7 days
  • AD all security changes in the last 30 days
  • AD all sIDHistory attribute changed events in the past 30 days

  • AD all high severity sIDHistory attribute changed events in the past 30 days

  • AD all site events in the past 7 days
  • AD all user events in the past 7 days
  • AD computers added in the past 30 days
  • AD computers disabled in the past 30 days
  • AD computers enabled in the past 30 days
  • AD computers moved in the past 30 days
  • AD computers removed in the past 30 days
  • AD computers renamed in the past 30 days
  • AD critical group membership changes in the past 30 days
  • AD group added in the past 30 days
  • AD group deleted in the past 30 days
  • AD group member added changes in the past 30 days
  • AD group member removed changes in the past 30 days
  • AD group moved in the past 30 days
  • AD group nested member added changes in the past 30 days
  • AD group nested member removed changes in the past 30 days
  • AD group renamed in the past 30 days
  • AD irregular domain controller registration events in the past 30 days

  • AD irregular domain replication detected events in the past 30 days
  • AD user ServicePrincipalName attribute changes in the past 30 days
  • AD users added in the past 30 days
  • AD users added to group in the past 30 days
  • AD users deleted in the past 30 days
  • AD users disabled in the past 30 days
  • AD users enabled in the past 30 days
  • AD users locked out in the past 30 days
  • AD users moved in the past 30 days
  • AD users removed from group in the past 30 days
  • AD users renamed in the past 30 days
  • AD users unlocked in the past 30 days

See Change Auditor Integration for details on adding on-premises event data to your On Demand Audit deployment.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级