{"id":10690,"date":"2017-07-05T13:00:27","date_gmt":"2017-07-05T17:00:27","guid":{"rendered":"http:\/\/www.sherweb.com\/blog\/?p=10690"},"modified":"2022-09-05T14:38:28","modified_gmt":"2022-09-05T18:38:28","slug":"activity-reports-audit-logs-office-365","status":"publish","type":"post","link":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/","title":{"rendered":"Understanding Activity Reports with Audit Logs in Office 365"},"content":{"rendered":"<p>Microsoft continues to invest heavily within Office 365 services, not just from a feature and functionality perspective, but more from the internals, such as logging and <a href=\"https:\/\/www.sherweb.com\/blog\/office-365-security-genuine-concerns\/\" target=\"_blank\" rel=\"noopener noreferrer\">security<\/a>. This means that you can easily know what tasks your end users are performing within any part of the service. You may wonder why this is important for you as an organization. Well, in reality, the biggest threat to any company is from within, namely employees. Having the ability to monitor all traffic within Office 365 means that you can not only see what is happening at any point in time but also be alerted about specific activities. The Audit log search featured within the Security &amp; Compliance Center is the go-to tool for reviewing usage by activity and component.<\/p>\n<p>&nbsp;<\/p>\n<h3><a href=\"https:\/\/www.sherweb.com\/blog\/security\/office-protect-settings-audit-logs-always-on\/\" target=\"_blank\" rel=\"noopener noreferrer\">Learn how Office Protect can help you save time while keeping your Audits Logs in check<\/a><\/h3>\n<p>&nbsp;<\/p>\n<h2>Audit Logs in Office 365: Understanding users\u2019 activity reports<\/h2>\n<h3>Categories and activities<\/h3>\n<p>The Audit log captures activities from multiple sources. The general sets of logged activities are grouped into the following categories:<\/p>\n<ul>\n<li>File and page<\/li>\n<li>Folder<\/li>\n<li>Sharing and access requests<\/li>\n<li>Synchronization<\/li>\n<li>Site administration<\/li>\n<li>Exchange mailbox<\/li>\n<li>Sway<\/li>\n<li>User administration<\/li>\n<li>Azure AD group administration<\/li>\n<li>Application administration<\/li>\n<li>Role administration<\/li>\n<li>Directory administration<\/li>\n<li>eDiscovery<\/li>\n<li>Power BI<\/li>\n<li>Microsoft Teams<\/li>\n<li>Yammer<\/li>\n<li>Exchange admin<\/li>\n<\/ul>\n<p>Other activities may be available based on services that are enabled within your tenant such as Dynamics 365. Each category also contains multiple types of activities that can be selected. By looking at the Folder activity category you can see the subset of activities that can be viewed.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10691 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Categories-and-Activities.png\" alt=\"Categories and Activities\" width=\"640\" height=\"195\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Categories-and-Activities.png 640w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Categories-and-Activities-300x91.png 300w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Categories-and-Activities-600x183.png 600w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>Expanding on these core activities, the following list outlines what each activity actually captures:<\/p>\n<ul>\n<li><strong>Copied folder<\/strong> &#8211; User copies a folder from one site to another location in SharePoint or OneDrive for Business.<\/li>\n<li><strong>Create a folder<\/strong> &#8211; User creates a folder on a site.<\/li>\n<li><strong>Delete a folder<\/strong> &#8211; User deletes a folder from a site.<\/li>\n<li><strong>Delete the folder from Recycle bin<\/strong> &#8211; User deletes a folder from the recycle bin on a site.<\/li>\n<li><strong>Delete the folder from second-stage Recycle bin<\/strong> &#8211; User deletes a folder from the second-stage recycle bin on a site.<\/li>\n<li><strong>Modified folder<\/strong> &#8211; User modifies a folder on a site. This includes changing the folder metadata, such as changing tags and properties.<\/li>\n<li><strong>Moved folder<\/strong> &#8211; User moves a folder to a different location on a site.<\/li>\n<li><strong>Renamed folder<\/strong> &#8211; User renames a folder on a site.<\/li>\n<li><strong>Restored folder<\/strong> &#8211; User restores a deleted folder from the recycle bin on a site.<\/li>\n<\/ul>\n<p>To view the breakdown of all categories within the Audit Log, <a href=\"https:\/\/support.office.com\/en-us\/article\/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c?ui=en-US&amp;rs=en-US&amp;ad=US#PickTab=Audited_activities\" target=\"_blank\" rel=\"noopener noreferrer\">Click here<\/a>.<\/p>\n<p>&nbsp;<\/p>\n<h3>Permissions and log capture<\/h3>\n<p>To use the <strong>Audit Log search<\/strong>, you either need to be a Global administrator or be added to the Security &amp; Compliance center roles groups, Compliance Manager or Organization management. If you need to allow a non-administrative user access to this, you must assign the \u201c<strong>View-Only Audit Logs<\/strong>\u201d or the \u201cA<strong>udit Logs role<\/strong>\u201d within the Security &amp; compliance center.<\/p>\n<p>Office 365 does not allow querying of all services and components immediately. Due to each service storing log data differently and within different storage mechanisms, the Audit log is populated at different times by refreshed data.<\/p>\n<p>SharePoint Online, OneDrive for Business, Exchange Online and Azure Activity Directory (user login events) are imported every 30 minutes. Azure Activity Directory (admin events), Sway, Power BI. Yammer, Security &amp; Compliance Center4 and Microsoft Teams are imported every 24 hours. It is important to understand these timings when, for example, you are using the Audit log to investigate user traffic, specifically when it is related to eDiscovery and Legal Hold.<\/p>\n<p>&nbsp;<\/p>\n<h3>Executing audit log searches<\/h3>\n<p>The Audit log search is available within the Security &amp; Compliance Center. You can find it by clicking the \u201c<strong>Search &amp; Investigation<\/strong>\u201d link and choosing \u201c<strong>Audit log search<\/strong>\u201d.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10693 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-1.png\" alt=\"Executing Audit Log Searches-Step 1\" width=\"294\" height=\"229\" \/><\/p>\n<p>Once the search page is loaded, you can specify the <strong>Activities<\/strong>, <strong>Start<\/strong> and <strong>End Date<\/strong>, <strong>Users<\/strong> and any <strong>free-text values<\/strong> that can be used as a filter value. If you are unsure as to what activities need to be selected, you can search within the picker, by simply typing what you need.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10694 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-2.png\" alt=\"Executing Audit Log Searches-Step 2\" width=\"1020\" height=\"449\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-2.png 1020w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-2-300x132.png 300w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-2-768x338.png 768w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-2-600x264.png 600w\" sizes=\"auto, (max-width: 1020px) 100vw, 1020px\" \/><\/p>\n<p>Typing a value will filter all activities to those that contain the free-text value that you have entered. It is helpful that the categories are still displayed so you can be sure that the activity you select is the right category, which internally is translated to an Office 365 feature or service. If you know the activities, you can simply select them in order to populate the \u201c<strong>Show results for all activities<\/strong>\u201d with the selected activities. It will also display a count for the total number of activities you have added. There is a maximum limit of selectable activities, which is set to 45.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10695 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-3.png\" alt=\"Executing Audit Log Searches-Step 3\" width=\"1232\" height=\"353\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-3.png 1232w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-3-300x86.png 300w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-3-768x220.png 768w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-3-1024x293.png 1024w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-3-600x172.png 600w\" sizes=\"auto, (max-width: 1232px) 100vw, 1232px\" \/><\/p>\n<p>Once you have selected the activities, you can add a date and time range to limit the results. The Audit log only allows searching within the last 90 days of activity. Filtering the results to a specific user is done by clicking into the \u201c<strong>Users<\/strong>\u201d field, which will then auto-populate with the list of users within the Office 365 tenant.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10696 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-4.png\" alt=\"Executing Audit Log Searches-Step 4\" width=\"301\" height=\"269\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-4.png 301w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-4-300x268.png 300w\" sizes=\"auto, (max-width: 301px) 100vw, 301px\" \/><\/p>\n<p>Once you have selected the user accounts you wish to filter the results to, you can specific free-text values that will be used to search across all the field for <strong>File<\/strong>,<strong> Folder<\/strong> or <strong>Site<\/strong>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10697 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-5.png\" alt=\"Executing Audit Log Searches-Step 5\" width=\"310\" height=\"109\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-5.png 310w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-5-300x105.png 300w\" sizes=\"auto, (max-width: 310px) 100vw, 310px\" \/><\/p>\n<p><strong>NOTE<\/strong>: When using this type of filtering, you need to replace any of these characters \u201c\\ \/ &#8211; _\u201d with spaces.<\/p>\n<p>Now that you have created the search criteria, you can run the search to view the Audit log results. This can take a few seconds to load, but once loaded it, is very fast to filter export.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10698 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-6.png\" alt=\"Executing Audit Log Searches-Step 6\" width=\"852\" height=\"665\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-6.png 852w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-6-300x234.png 300w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-6-768x599.png 768w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-6-600x468.png 600w\" sizes=\"auto, (max-width: 852px) 100vw, 852px\" \/><\/p>\n<p>To filter the results, click the \u201cFilter results\u201d button which will add a new row above the results, allowing you to free-text the filter. Typing values in the filter boxes will refine the result set to what you typed.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10699 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-7.png\" alt=\"Executing Audit Log Searches-Step 7\" width=\"1017\" height=\"232\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-7.png 1017w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-7-300x68.png 300w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-7-768x175.png 768w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Executing-Audit-Log-Searches-Step-7-600x137.png 600w\" sizes=\"auto, (max-width: 1017px) 100vw, 1017px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h3>Set up alerts for audit log searches<\/h3>\n<p>Once you have data within the Audit log search, continually running the searches can be time-consuming, which you will be repeating constantly. To prevent this, you can click the \u201c<strong>New Alert policy<\/strong>\u201d button and create an email alert for the search criteria you created.<\/p>\n<p>Clicking the button will present the new alert policy screen from the right-hand side, which will be pre-populated with the activities you chose within the search. If you have defined any users they will also be populated within the \u201c<strong>Users<\/strong>\u201d box.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10700 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-1.png\" alt=\"Setup Alerts for Audit Log Searches-Step 1\" width=\"749\" height=\"339\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-1.png 749w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-1-300x135.png 300w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-1-600x272.png 600w\" sizes=\"auto, (max-width: 749px) 100vw, 749px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>All that needs to be defined are the <strong>Name<\/strong>, <strong>Description<\/strong>, and who to <strong>send the alert to<\/strong>.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10701 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-2.png\" alt=\"Setup Alerts for Audit Log Searches-Step 2\" width=\"662\" height=\"784\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-2.png 662w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-2-253x300.png 253w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-2-600x711.png 600w\" sizes=\"auto, (max-width: 662px) 100vw, 662px\" \/><\/p>\n<p>Once you have saved the alert, you will need to allow Office 365 to capture the events and send the notifications to you. When an event that matches the new alert policy is captured, an email is sent that contains specific details of that specific event. The notification message contains information about the <strong>Activity Type, User, Item, Client IP Address, Time of Activity<\/strong> as well as links that take you into the Audit Log search for searching the audit log by the <strong>specific user, item, activity<\/strong> and other activities that would trigger the alert.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-10702\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-3.png\" alt=\"Setup Alerts for Audit Log Searches-Step 3\" width=\"503\" height=\"509\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-3.png 503w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-3-296x300.png 296w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Setup-Alerts-for-Audit-Log-Searches-Step-3-50x50.png 50w\" sizes=\"auto, (max-width: 503px) 100vw, 503px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h3>Exporting audit log entries<\/h3>\n<p>The Audit log captures more data than what is displayed within the user interface. To view more, simply select one of the rows by pressing onto the row. A panel with more details will then be displayed that slides over from the right. The initial screen only shows the same values, with a link that will expand to reveal more information.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10703 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-1.png\" alt=\"Exporting Audit Log Entries-Step 1\" width=\"821\" height=\"347\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-1.png 821w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-1-300x127.png 300w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-1-768x325.png 768w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-1-600x254.png 600w\" sizes=\"auto, (max-width: 821px) 100vw, 821px\" \/><\/p>\n<p>Clicking on \u201c<strong>More information<\/strong>\u201d will expand to reveal extra fields with associated data. Some of the fields contain further details, as they store the data as internal JSON objects. The following fields are displayed:<\/p>\n<p>&nbsp;<\/p>\n<table style=\"height: 500px;\" width=\"1456\">\n<tbody>\n<tr>\n<td width=\"312\">Actor<\/p>\n<p>ActorContextId<\/p>\n<p>ActorIpAddress<\/p>\n<p>ApplicationId<\/p>\n<p>AzureActiveDirectoryEventType<\/p>\n<p>ClientIP<\/p>\n<p>CreationTime<\/p>\n<p>ExtendedProperties<\/p>\n<p>Id<\/p>\n<p>InterSystemsId<\/p>\n<p>IntraSystemId<\/p>\n<p>&nbsp;<\/td>\n<td width=\"312\">ObjectId<\/p>\n<p>Operation<\/p>\n<p>OrganizationId<\/p>\n<p>RecordType<\/p>\n<p>ResultStatus<\/p>\n<p>Target<\/p>\n<p>TargetContextId<\/p>\n<p>UserId<\/p>\n<p>UserKey<\/p>\n<p>UserType<\/p>\n<p>Version<\/p>\n<p>Workload<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>Using the core user interface does not give you the flexibility you need when inspecting the results. To help you Microsoft offers you the ability to \u201c<strong>Export<\/strong>\u201d either the currently loaded results, or all results (including those that you can\u2019t see yet and have not been loaded).<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10704 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-2.png\" alt=\"Exporting Audit Log Entries-Step 2\" width=\"351\" height=\"129\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-2.png 351w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-2-300x110.png 300w\" sizes=\"auto, (max-width: 351px) 100vw, 351px\" \/><\/p>\n<p>Exporting the results for an audit log search, the raw data from the Office 365 unified audit log is copied to a comma-separated value (CSV) file. This is downloaded to your local computer.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10705 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-3.png\" alt=\"Exporting Audit Log Entries-Step 3\" width=\"477\" height=\"356\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-3.png 477w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-3-300x224.png 300w\" sizes=\"auto, (max-width: 477px) 100vw, 477px\" \/><\/p>\n<p>Opening the CSV file displays all the rows from the results, however, it formats it in a different way. The first three columns display the Date of the activity, User ID and Operation. An additional column from the audit log entry, named \u201c<strong>AuditData<\/strong>\u201d, is also added to the CSV. This column contains a multi-value property for multiple properties from the audit log record. Each of the property:value pairs in this multi-value property is separated by a comma.<\/p>\n<p>When trying to filter within Excel or another spreadsheet solution, you will need to parse the <strong>JSON \/ property:value<\/strong> data for it to be useful. You can use Power Query in Excel to split this column into multiple columns so that each property will have its own column. This will let you sort and filter on one or more of these properties. To learn how to do this, see the &#8220;<strong>Split a column by delimiter<\/strong>&#8221; section in Split a column of text.<\/p>\n<p>However, some of the results, when displayed within the core user interface, display the JSON data to make it easier to review without the need to export. An example of this would be using the activity report \u201c<strong>Accessed file<\/strong>\u201d. This activity displays more of the JSON object to you in the core console without the need to export.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"size-full wp-image-10706 aligncenter\" src=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-4.png\" alt=\"Exporting Audit Log Entries-Step 4\" width=\"999\" height=\"509\" srcset=\"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-4.png 999w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-4-300x153.png 300w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-4-768x391.png 768w, \/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Exporting-Audit-Log-Entries-Step-4-600x306.png 600w\" sizes=\"auto, (max-width: 999px) 100vw, 999px\" \/><\/p>\n<p>&nbsp;<\/p>\n<h2>User behavior and protection<\/h2>\n<p>The real win with the Audit Log search capabilities is around understanding user habits, patterns and potential security incidents. The more you understand about how your end users use Office 365, potential security risks and incidents, the better you can protect and secure your environments. Data collected in the audit logs can paint a useful picture of what actions have (or haven\u2019t) occurred within Office 365, and can be stored for later review at any time. So, whether you are trying to determine permission changes, checking document reviews or which content has been deleted or restored, the Office 365 Audit Log search can help you.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Having the ability to monitor all traffic within Office 365 means that you can not only see what ","protected":false},"author":177,"featured_media":10692,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[751],"tags":[],"class_list":["post-10690","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-office-365"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.7 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>Activity reports and audit logs in Office 365<\/title>\n<meta name=\"description\" content=\"Activity Reports gives the ability to monitor all traffic. You can see what is happening at any point in time and be alerted about specific activities.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Activity reports and audit logs in Office 365\" \/>\n<meta property=\"og:description\" content=\"Activity Reports gives the ability to monitor all traffic. You can see what is happening at any point in time and be alerted about specific activities.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/\" \/>\n<meta property=\"og:site_name\" content=\"Sherweb\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/Sherweb\" \/>\n<meta property=\"article:published_time\" content=\"2017-07-05T17:00:27+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2022-09-05T18:38:28+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Banner.png\" \/>\n\t<meta property=\"og:image:width\" content=\"770\" \/>\n\t<meta property=\"og:image:height\" content=\"230\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/png\" \/>\n<meta name=\"author\" content=\"The Sherweb Team\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@SherWeb\" \/>\n<meta name=\"twitter:site\" content=\"@SherWeb\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"The Sherweb Team\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/\"},\"author\":{\"name\":\"The Sherweb Team\",\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/#\\\/schema\\\/person\\\/42a19dccace310904575a5656cc20976\"},\"headline\":\"Understanding Activity Reports with Audit Logs in Office 365\",\"datePublished\":\"2017-07-05T17:00:27+00:00\",\"dateModified\":\"2022-09-05T18:38:28+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/\"},\"wordCount\":1705,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/#primaryimage\"},\"thumbnailUrl\":\"\\\/blog\\\/wp-content\\\/uploads\\\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Banner.png\",\"articleSection\":[\"Microsoft 365\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/\",\"url\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/\",\"name\":\"Activity reports and audit logs in Office 365\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/#primaryimage\"},\"thumbnailUrl\":\"\\\/blog\\\/wp-content\\\/uploads\\\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Banner.png\",\"datePublished\":\"2017-07-05T17:00:27+00:00\",\"dateModified\":\"2022-09-05T18:38:28+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/#\\\/schema\\\/person\\\/42a19dccace310904575a5656cc20976\"},\"description\":\"Activity Reports gives the ability to monitor all traffic. You can see what is happening at any point in time and be alerted about specific activities.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/#primaryimage\",\"url\":\"\\\/blog\\\/wp-content\\\/uploads\\\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Banner.png\",\"contentUrl\":\"\\\/blog\\\/wp-content\\\/uploads\\\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Banner.png\",\"width\":770,\"height\":230,\"caption\":\"Understanding Users\u2019 Activity Reports with Audit Logs in Office 365\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/microsoft-ecosystem\\\/office-365\\\/activity-reports-audit-logs-office-365\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Microsoft Ecosystem\",\"item\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/category\\\/microsoft-ecosystem\\\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Microsoft 365\",\"item\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/category\\\/microsoft-ecosystem\\\/office-365\\\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Understanding Activity Reports with Audit Logs in Office 365\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/\",\"name\":\"Sherweb\",\"description\":\"More than a cloud marketplace\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/#\\\/schema\\\/person\\\/42a19dccace310904575a5656cc20976\",\"name\":\"The Sherweb Team\",\"url\":\"https:\\\/\\\/www.sherweb.com\\\/blog\\\/author\\\/the-sherweb-team\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Activity reports and audit logs in Office 365","description":"Activity Reports gives the ability to monitor all traffic. You can see what is happening at any point in time and be alerted about specific activities.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/","og_locale":"en_US","og_type":"article","og_title":"Activity reports and audit logs in Office 365","og_description":"Activity Reports gives the ability to monitor all traffic. You can see what is happening at any point in time and be alerted about specific activities.","og_url":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/","og_site_name":"Sherweb","article_publisher":"https:\/\/www.facebook.com\/Sherweb","article_published_time":"2017-07-05T17:00:27+00:00","article_modified_time":"2022-09-05T18:38:28+00:00","og_image":[{"width":770,"height":230,"url":"https:\/\/www.sherweb.com\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Banner.png","type":"image\/png"}],"author":"The Sherweb Team","twitter_card":"summary_large_image","twitter_creator":"@SherWeb","twitter_site":"@SherWeb","twitter_misc":{"Written by":"The Sherweb Team","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/#article","isPartOf":{"@id":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/"},"author":{"name":"The Sherweb Team","@id":"https:\/\/www.sherweb.com\/blog\/#\/schema\/person\/42a19dccace310904575a5656cc20976"},"headline":"Understanding Activity Reports with Audit Logs in Office 365","datePublished":"2017-07-05T17:00:27+00:00","dateModified":"2022-09-05T18:38:28+00:00","mainEntityOfPage":{"@id":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/"},"wordCount":1705,"commentCount":0,"image":{"@id":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/#primaryimage"},"thumbnailUrl":"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Banner.png","articleSection":["Microsoft 365"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/","url":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/","name":"Activity reports and audit logs in Office 365","isPartOf":{"@id":"https:\/\/www.sherweb.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/#primaryimage"},"image":{"@id":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/#primaryimage"},"thumbnailUrl":"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Banner.png","datePublished":"2017-07-05T17:00:27+00:00","dateModified":"2022-09-05T18:38:28+00:00","author":{"@id":"https:\/\/www.sherweb.com\/blog\/#\/schema\/person\/42a19dccace310904575a5656cc20976"},"description":"Activity Reports gives the ability to monitor all traffic. You can see what is happening at any point in time and be alerted about specific activities.","breadcrumb":{"@id":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/#primaryimage","url":"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Banner.png","contentUrl":"\/blog\/wp-content\/uploads\/Understanding-Users\u2019-Activity-Reports-with-Audit-Logs-in-Office-365-Banner.png","width":770,"height":230,"caption":"Understanding Users\u2019 Activity Reports with Audit Logs in Office 365"},{"@type":"BreadcrumbList","@id":"https:\/\/www.sherweb.com\/blog\/microsoft-ecosystem\/office-365\/activity-reports-audit-logs-office-365\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.sherweb.com\/blog\/"},{"@type":"ListItem","position":2,"name":"Microsoft Ecosystem","item":"https:\/\/www.sherweb.com\/blog\/category\/microsoft-ecosystem\/"},{"@type":"ListItem","position":3,"name":"Microsoft 365","item":"https:\/\/www.sherweb.com\/blog\/category\/microsoft-ecosystem\/office-365\/"},{"@type":"ListItem","position":4,"name":"Understanding Activity Reports with Audit Logs in Office 365"}]},{"@type":"WebSite","@id":"https:\/\/www.sherweb.com\/blog\/#website","url":"https:\/\/www.sherweb.com\/blog\/","name":"Sherweb","description":"More than a cloud marketplace","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.sherweb.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.sherweb.com\/blog\/#\/schema\/person\/42a19dccace310904575a5656cc20976","name":"The Sherweb Team","url":"https:\/\/www.sherweb.com\/blog\/author\/the-sherweb-team\/"}]}},"tag_names":[],"_links":{"self":[{"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/posts\/10690","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/users\/177"}],"replies":[{"embeddable":true,"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/comments?post=10690"}],"version-history":[{"count":15,"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/posts\/10690\/revisions"}],"predecessor-version":[{"id":23942,"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/posts\/10690\/revisions\/23942"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/media\/10692"}],"wp:attachment":[{"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/media?parent=10690"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/categories?post=10690"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.sherweb.com\/blog\/wp-json\/wp\/v2\/tags?post=10690"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}