Hi. I'm Ghazwan Khairi, a strategic systems consultant with Quest. And today I'm going to demo the hybrid integration of Quest on Demand Audit and Quest Change Auditor.
What you'll notice on the screen is I've logged into my Quest on Demand Audit. And I've switched over to the Searches tab. And then I've also selected the Active Directory. This specific node of Active Directory and all the events that you see on the right-hand side are events that you are accustomed to in your existing install of on-premise Change Auditor. The value add here is that you can search and view any change, whether it was made on-premise or in the cloud.
So we bring on-premise events directly onto this interface along with, as you can see here on the screen, I can switch quickly and take a look at the Office 365 events. I can take a look at Azure, Active Directory events, and sign in events. So we bring the Active Directory on-premise events to this interface.
And what you notice on the right-hand side are the events are very similar to what you're used to in your existing install of Change Auditor. These are events around computers, domain controllers, OUs, groups, users. And we just basically brought them in here.
So one of the events that we often get asked about is critical group membership changes in Active Directory. So we'll go ahead and just click on that for just a quick second. So here's my critical group membership changes in the last 30 days. I can change this. But I can also take a look at the events in here. I'll walk you through the changes in just a second.
We'll go ahead and select this event as an example. Here's the action. So this is Delete Attribute. One thing to mentioned in here, in Change Auditor on-premise installation, we've often talked about five Ws, or primarily the who, what, where, when for a specific event. And in Azure Active Directory, these five attributes, they don't really exist. They're more kind of normalized. So what we did is we took these parameters and values, and we normalized them into a standard of what Azure Active Directory kind of presents to us. So it's all seamless from an integration and from a hybrid standpoint.
So here's the action, which is Delete Attribute. Here's the activity, which is basically your event class in Change Auditor. The activity ID. Let's see, what else is worth mentioning in here? The attribute name. The audit source is Change Auditor. So this is telling me that it came from on-premise Active Directory, because Change Auditor pushed it.
Your who is basically your actor. And that's all the way at the bottom here. So this is our user actor. So this is our who.
I've also passed on a field that I'd like to mention, the Time Detected. This is the time it registered the event. The coordinator, the agent, on-premise registered the event. And then the time index is when On Demand Audit grabbed the event and made it available for search. So again, we normalized the five Ws to provide this hybrid seamless presentation of the events themselves.
If I was to close this information and go back and modify the search, right now it's looking at the last 30 days Active Directory, I could add more fields. So if I'm interested in the user actor, I can add this information in here. I basically just have to select the field, select the operation, and select the value.
And I also want to show you if I go back to the event itself. Let's go ahead and run this. If I go back to the event itself and say, I just want to see everything that came from Change Auditor. So if I hover my mouse over this specific value, notice on the right-hand side, I can copy this to clipboard, or one of the other options, I can add this as a filter. So I can create a completely new search that just basically says, show me everything that came from Change Auditor, or just say, and you search on this filter.
So now these are all the events that came from Change Auditor. I can run this, or I can save this as a special search for me. Notice the speed in which the events are actually rendered on the screen.
So again, this is just to kind of go through a hybrid presentation of what On Demand Audit brings to the table here. It's looking at your on-premise Active Directory events. It's looking at your Azure Active Directory events, although we didn't really look at that in this specific video. And it's also looking at all the events that are happening across all the Microsoft Office 365 workloads.
So that concludes this demo. For more information, visit the Quest On Demand URL listed on the screen.
05:18
