You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: docs/threatmanager/3.0/administration/investigations/auditcompliance.md
+4-4Lines changed: 4 additions & 4 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -30,16 +30,16 @@ By default, this folder contains the following saved investigations:
30
30
| Investigation | Description | Filters |
31
31
| --- | --- | --- |
32
32
| AD Changes | All Active Directory changes | One filter statement set: <br /><ul><li>Attribute = Event Operation</li><li>Operator = Equals</li><li>Filter = Active Directory Change</li></ul> |
33
-
| AD Changes by Domain Admins | All Active Directory changes by Domain Admin>s | Two filter statements set: <br /><ul><li> Attribute 1 = Event Operation</li><li>Operator 1 = Equals</li><li>Filter 1 = Active Directory Change <br />AND <br /></li><li>Attribute 2 = Tag (Effective)</li><li>Operator 2 = Equals</li><li>Filter 2 = Domain Admin</li></ul> |
33
+
| AD Changes by Domain Admins | All Active Directory changes by Domain Admin>s | Two filter statements set: <br /><ul><li> Attribute 1 = Event Operation</li><li>Operator 1 = Equals</li><li>Filter 1 = Active Directory Change</li></ul><p>AND</p><ul><li>Attribute 2 = Tag (Effective)</li><li>Operator 2 = Equals</li><li>Filter 2 = Domain Admin</li></ul> |
34
34
| AD Logins | Active Directory logins including Kerberos and NTLM authentication | One filter statement set: <br /><ul><li> Attribute = Event Operation</li><li>Operator = Equals</li><li>Filter = Active Directory Authentication</li></ul> |
35
35
| All Events | New Investigation | No filters set |
36
36
| Confirmed Compromised Account Activity | Occurs when a Confirmed Compromised Account is being active within an Entra ID tenant | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter 1 = Confirmed Compromised</li></ul> |
37
-
| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set: <br /><ul><li>Attribute 1 = Event Operation</li><li>Operator 1 = Equals</li><li>Filter 1 = Active Directory Authentication <br />AND <br /></li><li>Attribute 2 = Success</li><li>Operator 2 = Equals</li><li>Filter 2 = false</li></ul> |
38
-
| Failed Entra ID Logins | Occurs when an Entra ID login attempt has failed | Two filter statements set: <br /><ul><li>Attribute = Event Operation</li><li>Operator = Equals</li><li>Filter 1 = EntraID Sign-In <br />And <br /></li><li> Attribute = Success</li><li>Operator = Equals</li><li>Filter 2 = False</li></ul> |
37
+
| Failed AD Logins | All failed Active Directory logins including Kerberos and NTLM authentication | Two filter statements set: <br /><ul><li>Attribute 1 = Event Operation</li><li>Operator 1 = Equals</li><li>Filter 1 = Active Directory Authentication</li></ul><p>AND</p><ul><li>Attribute 2 = Success</li><li>Operator 2 = Equals</li><li>Filter 2 = false</li></ul> |
38
+
| Failed Entra ID Logins | Occurs when an Entra ID login attempt has failed | Two filter statements set: <br /><ul><li>Attribute = Event Operation</li><li>Operator = Equals</li><li>Filter 1 = EntraID Sign-In</li></ul><p>AND</p><ul><li> Attribute = Success</li><li>Operator = Equals</li><li>Filter 2 = False</li></ul> |
| Privileged Account Activity | All activity by privileged accounts | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter = Privileged</li></ul> |
41
41
| Risky User Activity | Occurs when a Risky User is being active within an Entra ID tenant | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter 1 = At Risk</li></ul> |
42
42
| Service Account Activity | All activity by service accounts | One filter statement set: <br /><ul><li>Attribute = Tag (Direct)</li><li>Operator = Equals</li><li>Filter = Service Account</li></ul> |
43
43
| Watchlist User Activity | All activity by watchlist users | One filter statement set: <br /><ul><li>Attribute = Tag (Effective)</li><li>Operator = Equals</li><li>Filter = Watchlist</li></ul> |
44
44
45
-
You can save additional investigations to this folder.
45
+
You can save additional investigations to this folder.
0 commit comments