Great content delivered right to your mailbox

Thank you! Check your inbox for our monthly recap!

Life often feels like there’s just a lot going on—it’s a swirling madhouse of tasks and events. But this chaos is magnified when you own a business. And when something goes wrong with your business, it becomes your job to dig through that madness and identify the cause so that it won’t happen again. This is where audit logs come in handy, but the out-of-the-box ones are often difficult to navigate.

When it comes to the digital security of your business, Office Protect has your back. By enabling you to set your audit logs in Office 365 so they’re always recording, Office Protect ensures that you’ll always have a written record of events that you can reference.


Learn how Office Protect helps keep your Microsoft 365 tenants safe with our e-book


User Error Events

Your audit logs will record practically every major event that happens in Office 365: viewing documents, logging in, downloading documents, sharing files, deleting files, and more. This comes in handy when an important file turns up missing and you do not know who moved/deleted it, or even if it was accidental or malicious.

This is where audit logs are invaluable—you can simply search through them to discover who deleted the file and speak to the user to identify the root cause. Whether it be an easy training issue or a more complicated security breach, you will now have the information you need to address the problem.



Security is one of the top concerns of any business owner—data drives your business, so you want to do everything in your power to protect it. Having your audit logs always turned on improves security. It’s an easy way to keep track of everything happening in your Office 365 environment and tracking down anything that seems even a little out of place. Ultimately, your audit logs give you more power over your data security.


Monitoring and Alerts

In the past, we’ve discussed the importance of monitoring and alerts. But did you know that none of that is possible without audit logs? Office 365’s continuous logging enables all of these alerts to be tripped and recorded so you can investigate them later.

Here are just a few of the things in your audit logs that will trigger an alert:

  • Security Policies. If any changes are made to your security policies, you’ll be instantly notified. This allows you to quickly catch any hackers trying to compromise the security of your organization.
  • Administrator Behavior. Office Protect will monitor all administrators to check if those users are engaging in behavior that’s consistent with your security policy. It’ll flag inbox rules that don’t follow your security policy.
  • Missing or Deleted Emails. Your logs will capture any emails that disappear from a user inbox, whether accidentally or intentionally, or if an important document is forwarded to someone outside your organization. You can choose to have these logs trigger alerts in certain instances.
  • Sign-Ins. Information like number of sign-ins and sign-in location will be logged, allowing you to potentially catch a user who has taken your company device to an unauthorized location, or even tag someone trying to access your data from a suspicious location.
  • Sent Emails. Sent emails will also be logged. Office Protect will alert you if anyone in your organization sends out something that could be flagged as spam, which could indicate that an email account has been breached and is now compromised.


How to Search Your Audit Logs

The High-Level View

We’ve talked a lot about the benefits of reviewing audit logs, but how do you find that information? Fortunately, Office Protect makes this really easy for you.With its dashboard and reports, Office Protect will give you a high-level view of everything that’s going on. The dashboard gives you a glimpse into how your security environment is performing and if there’s anything that needs to be addressed.

Automated reports will also show you the top 20 details you need to see, and you can export them into a PDF or CSV file for further analysis.

Digging into the Details

But what if you need more detail? No problem! With just a few simple steps, you can find anything you need in your logs.

To run an audit log search, simply log in to your Office 365 account. Look on the left pane in the Security & Compliance Center, and click “Audit Log Search.” Once the audit log search menu pops up, you can choose which activities and dates you’d like to view. You can also choose to view only specific users, files, folders, or sites. Then click “Search.”

You should now see your results. There’s a maximum of 5,000 events that can be shown at a time, so it’s recommended that you filter the results as needed through the menu to focus on anything of interest.

If you want more details about a specific event within those results, you can click on it and it will open the “Details” page. This will contain detailed properties of the specific event that you can dig into. You can also filter the results or export them into Microsoft Excel for more detailed analysis.

How to Enable Audit Logs in Office Protect

Clearly, having your audit logs always turned on gives you the most information about your environment and allows you to handle any situation. It’s highly recommended that you leave audit logs turned on so that you never miss out on any important alerts. So how do you make sure this setting is turned on?

With Office Protect, you don’t actually have to do anything! By default, the Audit Logs Always On switch is enabled. Even if it’s turned off by a rogue administrator, it will be automatically turned back on and issue an alert to Sherweb.

To view this setting, simply access it from your dashboard—go into your settings, and you’ll see the toggle menu, security impact (high), and user impact (none) for Office Protect.

Written by The Sherweb Team Collaborators @ Sherweb