Audit
log in the Office 365 Security & Compliance Center
Before you begin
Be sure to read the
following items before you start searching the Office 365 audit log.
·
You (or another admin)
must first turn on audit logging before you can start searching the Office 365
audit log. To turn it on, just click ** Start recording user and admin activity
** on the Audit log search page in the Security &
Compliance Center. (If you don't see this link, auditing has already been
turned on for your organization.) After you turn it on, a message is displayed
that says the audit log is being prepared and that you can run a search in a
couple of hours after the preparation is complete. You only have to do this
once.
If you want to turn off
audit log search in Office 365 for your organization, you can run the following
command in remote PowerShell connected to your Exchange Online organization:
Copy
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled
$false
To turn on audit search
again, you can run the following command in Exchange Online PowerShell:
Copy
Set-AdminAuditLogConfig -UnifiedAuditLogIngestionEnabled
$true
·
You can search the
Office 365 audit log for activities that were performed within the last 90
days.
·
It can take up to 30
minutes or up to 24 hours after an event occurs for the corresponding audit log
entry to be displayed in the search results. The following table shows the time
it takes for the different services in Office 365.
Search the audit log
Here's the process for
searching the audit log in Office 365.
Step 1: Run an audit log
search
Step 2: View the search
results
Step 3: Filter the search
results
Step 4: Export the search
results to a file
Step 1: Run an audit log
search
1.
Sign in to Office 365
using your work or school account.
2.
In the left pane of the
Security & Compliance Center, click Search & investigation,
and then click Audit log search.
The Audit log search page is displayed.
1.
Configure the following
search criteria:
2.
Activities Click the drop-down list to display the
activities that you can search for. User and admin activities are organized in
to groups of related activities. You can select specific activities or you can
click the activity group name to select all activities in the group. You can
also click a selected activity to clear the selection. After you run the
search, only the audit log entries for the selected activities are displayed.
Selecting Show results for all activities will display results
for all activities performed by the selected user or group of users.
Over 100 user and admin activities are logged in the Office 365
audit log. Click the Audited activities tab at the topic of
this article to see the descriptions of every activity in each of the different
Office 365 services.
3.
Start
date and End
date The last seven days are selected by default. Select a date and
time range to display the events that occurred within that period. The date and
time are presented in Coordinated Universal Time (UTC) format. The maximum date
range that you can specify is 90 days. An error is displayed if the selected
date range is greater than 90 days.
- Users Click in this box and then select one or more
users to display search results for. The audit log entries for the
selected activity performed by the users you select in this box are
displayed in the list of results. Leave this box blank to return entries
for all users (and service accounts) in your organization.
- File or folder Type some or all of a file or folder name to
search for activity related to the file of folder that contains the
specified keyword. You can also specify a URL of a file or folder. If you
use a URL, be sure the type the full URL path or if you just type a
portion of the URL, don't include any special characters or spaces.
Leave this box blank to return entries for all files and folders
in your organization.
- Click Search to
run the search using your search criteria.
The search results are loaded, and after a few moments they are
displayed under Results. When the search is finished, the number of
results found is displayed. Note that a maximum of 5,000 events will be
displayed in the Results pane in increments of 150 events; if
more than 5,000 events meet the search criteria, the most recent 5,000 events
are displayed.
Tips for searching the audit log
·
You can select specific activities to search for by clicking on
the activity name. Or you can search for all activities in a group (such
as File and folder
activities) by clicking on the group name. If an activity is
selected, you can click it to cancel the selection. You can also use the search
box to display the activities that contain the keyword that you type.
·
You have to select Show
results for all activities in the Activities list to
display events from the Exchange admin audit log. Events from this audit log
display a cmdlet name (for example, Set-Mailbox ) in the Activity column
in the results. For more information, click the Audited activities tab
in this topic and then click Exchange admin activities.
Similarly, there are some auditing activities that don't have a
corresponding item in the Activities list. If you know the
name of the operation for these activities, you can search for all activities,
then filter the results by typing the name of the operation in the box for
the Activitycolumn. See Step 3: Filter the search results for more information about filtering the
results.
·
Click Clear to
clear the current search criteria. The date range returns to the default of the
last seven days. You can also click Clear all to show results for all
activities to cancel all selected activities.
·
If 5,000 results are
found, you can probably assume there are more than 5,000 events that met the
search criteria. You can either refine the search criteria and rerun the search
to return fewer results, or you can export all of the search results by
selecting Export results > Download all results.
Step 2: View the search results
The results of an audit
log search are displayed under Results on
the Audit log
search page. As previously stated a maximum of 5,000
(newest) events are displayed in increments of 150 events. To display more
events you can use the scroll bar in the Results pane or you can press Shift + End to
display the next 150 events.
The results contain the
following information about each event returned by the search.
·
Date: The date and time (in UTC format) when the event occurred.
·
IP address: The IP address of the device that was used when the activity
was logged. The IP address is displayed in either an IPv4 or IPv6 address
format.
·
User: The user (or service account) who performed the action that
triggered the event.
·
Activity: The activity performed by the user. This value corresponds
to the activities that you selected in the Activities drop down list. For an
event from the Exchange admin audit log, the value in this column is an
Exchange cmdlet.
·
Item: The object that was created or modified as a result of the
corresponding activity. For example, the file that was viewed or modified or
the user account that was updated. Not all activities have a value in this
column.
·
Detail: Additional detail about an activity. Again, not all
activities will have a value.
Step 3: Filter the search results
To filter the results:
1.
Run an audit log search.
2.
When the results are
displayed, click Filter results.
Keyword boxes are displayed under each column header.
3.
Click one of the boxes
under a column header and type a word or phrase, depending on the column you're
filtering on. The results will dynamically readjust to display the events that
match your filter.
Step 4: Export the search results to a file
You can export the results of an audit log search to a comma
separated value (CSV) file on your local computer. You can open this file in
Microsoft Excel and use features such as search, sorting, filtering, and
splitting a single column (that contains multi-value cells) into multiple
columns.
