{"id":16149,"date":"2022-01-09T10:41:00","date_gmt":"2022-01-09T09:41:00","guid":{"rendered":"https:\/\/ways.se\/?p=16149"},"modified":"2024-01-11T14:57:47","modified_gmt":"2024-01-11T13:57:47","slug":"investigate-incidents-with-microsoft-365-audit-log","status":"publish","type":"post","link":"https:\/\/ways.se\/en\/articles\/investigate-incidents-with-microsoft-365-audit-log\/","title":{"rendered":"Investigate incidents with Microsoft\u00a0365 Audit\u00a0Log"},"content":{"rendered":"\n<p>Thousands of user and admin operations, performed in dozens of Microsoft 365 services and solutions, are captured, recorded, and retained in a unified audit log, available in <a href=\"https:\/\/learn.microsoft.com\/en-us\/purview\/purview\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Purview<\/a>. Using the audit log search tool, you can search for, view, and export the audit records for any of these operations. Typical document management activities that you can search for in the logs are:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>Accessed or previewed documents<\/li>\n\n\n\n<li>Modified documents<\/li>\n\n\n\n<li>Uploaded documents<\/li>\n\n\n\n<li>Deleted or restored documents<\/li>\n\n\n\n<li>Downloaded or synchronized documents<\/li>\n\n\n\n<li>Checked in or checked out documents<\/li>\n\n\n\n<li>Copied or moved documents<\/li>\n<\/ul>\n\n\n\n<p>Microsoft 365 provides two auditing solutions:<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:1\">\n<li>Basic Audit\n<ul class=\"wp-block-list\">\n<li>For Microsoft 365 licenses (non-E5)<\/li>\n\n\n\n<li>90-day audit record retention<\/li>\n\n\n\n<li>Access via GUI, PowerShell, and API<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Advanced Audit\n<ul class=\"wp-block-list\">\n<li>For Microsoft 365 E5 licenses<\/li>\n\n\n\n<li>1-year audit record retention (can be extended to 10 years, with additional licenses)<\/li>\n\n\n\n<li>Custom audit retention policies<\/li>\n\n\n\n<li>High-value crucial events<\/li>\n\n\n\n<li>Higher bandwidth access to API<\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<p>Basic Audit is enabled by default for all organizations with the appropriate subscription (for a list of subscription and licensing requirements, see&nbsp;<a href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/auditing-solutions-overview?view=o365-worldwide#licensing-requirements\" target=\"_blank\" rel=\"noreferrer noopener\">Auditing solutions in Microsoft 365<\/a>). The only setup before you and others in your organization can search in the audit log is to assign the necessary permissions to access the audit log search tool.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/help.metashare.com\/en\/faq\/how-to-use-microsoft-365s-unified-audit-log\/#assign-permissions-to-search-the-audit-log\"><\/a>Assign permissions to search the audit log<\/h2>\n\n\n\n<p>Global Administrators can always search the audit log. To allow searching with minimum priveliges, admins and members of investigation teams, can be assigned the \u201cSecurity Reader\u201d role. See <a href=\"https:\/\/learn.microsoft.com\/en-us\/microsoft-365\/admin\/add-users\/assign-admin-roles?view=o365-worldwide\" target=\"_blank\" rel=\"noreferrer noopener\">Assign admin roles in the Microsoft 365 admin center<\/a>.<\/p>\n\n\n\n<figure class=\"wp-block-image size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"1200\" src=\"https:\/\/ways.se\/wp-content\/uploads\/security_reader_role.png\" alt=\"\" class=\"wp-image-16154\" srcset=\"https:\/\/ways.se\/wp-content\/uploads\/security_reader_role.png 1920w, https:\/\/ways.se\/wp-content\/uploads\/security_reader_role-300x188.png 300w, https:\/\/ways.se\/wp-content\/uploads\/security_reader_role-1024x640.png 1024w, https:\/\/ways.se\/wp-content\/uploads\/security_reader_role-768x480.png 768w, https:\/\/ways.se\/wp-content\/uploads\/security_reader_role-1536x960.png 1536w\" sizes=\"auto, (max-width: 1920px) 100vw, 1920px\" \/><figcaption class=\"wp-element-caption\">The Security Reader role as seen in the Microsoft 365 Admin Center<\/figcaption><\/figure>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/help.metashare.com\/en\/faq\/how-to-use-microsoft-365s-unified-audit-log\/#search-the-audit-log\"><\/a>Search the audit log<\/h2>\n\n\n\n<p>To search in the audit log, do the following:<\/p>\n\n\n\n<ol class=\"wp-block-list\" style=\"list-style-type:1\">\n<li>Sign in to&nbsp;<a href=\"https:\/\/compliance.microsoft.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Microsoft Purview<\/a>&nbsp;using an account that has been assigned the appropriate audit permissions.<\/li>\n\n\n\n<li>In the left navigation pane click&nbsp;on \u201c<a href=\"https:\/\/compliance.microsoft.com\/auditlogsearch?viewid=Async%20Search\" target=\"_blank\" rel=\"noreferrer noopener\">Audit<\/a>\u201c:<br><img loading=\"lazy\" decoding=\"async\" width=\"475\" height=\"636\" class=\"wp-image-16158\" src=\"https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_navigation.png\" alt=\"\" srcset=\"https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_navigation.png 475w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_navigation-224x300.png 224w\" sizes=\"auto, (max-width: 475px) 100vw, 475px\" \/><br>On the&nbsp;Audit&nbsp;page, configure the search using the following conditions:<br><img loading=\"lazy\" decoding=\"async\" width=\"1521\" height=\"595\" class=\"wp-image-16160\" src=\"https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_filters.png\" alt=\"\" srcset=\"https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_filters.png 1521w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_filters-300x117.png 300w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_filters-1024x401.png 1024w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_filters-768x300.png 768w\" sizes=\"auto, (max-width: 1521px) 100vw, 1521px\" \/>\n<ul class=\"wp-block-list\">\n<li>Date and time range \u2013 select a date and time range to display the events that occurred within that period. The date and time are presented in local time.<\/li>\n\n\n\n<li>Activities \u2013 select the activities to search for. Use the search box to search for activities to add to the list. For a partial list of audited activities, see&nbsp;<a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/search-the-audit-log-in-security-and-compliance?view=o365-worldwide#audited-activities\" target=\"_blank\">Audited activities<\/a>. Leave this box blank to return entries for all audited activities.<\/li>\n\n\n\n<li>Users \u2013 click in this box and start typing the name of users to display search results for. The audit log entries for the selected activities performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users in your organization.<\/li>\n\n\n\n<li>File, folder, or site \u2013 type some or all of a file or folder name to search for activity related to the file of folder that contains the specified keyword. You can also specify a URL of a file or folder. If you use a URL of a file or folder, be sure to type the full URL path or if you type a portion of the URL, don\u2019t include any special characters or spaces. Leave this box blank to return entries for all files and folders in your organization.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Click&nbsp;on the \u201cSearch\u201d&nbsp;button. On the page you now see that the audit log search is running. When the search is completed, audit records are displayed on the page. Click a record to display a flyout page with detailed properties: <br><img loading=\"lazy\" decoding=\"async\" width=\"1538\" height=\"1138\" class=\"wp-image-16163\" src=\"https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_result.png\" alt=\"\" srcset=\"https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_result.png 1538w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_result-300x222.png 300w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_result-1024x758.png 1024w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_result-768x568.png 768w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_search_result-1536x1137.png 1536w\" sizes=\"auto, (max-width: 1538px) 100vw, 1538px\" \/><\/li>\n\n\n\n<li>The search can now be exported to a CSV-file, by clicking on the \u201cExport\u201d function on the top of the audit report:<br><img loading=\"lazy\" decoding=\"async\" width=\"1101\" height=\"750\" class=\"wp-image-16178\" style=\"width: 560px\" src=\"https:\/\/ways.se\/wp-content\/uploads\/purview_audit_log_export.png\" alt=\"\" srcset=\"https:\/\/ways.se\/wp-content\/uploads\/purview_audit_log_export.png 1101w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_log_export-300x204.png 300w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_log_export-1024x698.png 1024w, https:\/\/ways.se\/wp-content\/uploads\/purview_audit_log_export-768x523.png 768w\" sizes=\"auto, (max-width: 1101px) 100vw, 1101px\" \/><\/li>\n\n\n\n<li>The audit report also gets a unique URL, so this can be shared with users that have access to the audit log.<\/li>\n<\/ol>\n\n\n\n<p>For more detailed information about the audit logs, see <a rel=\"noreferrer noopener\" href=\"https:\/\/docs.microsoft.com\/en-us\/microsoft-365\/compliance\/auditing-solutions-overview?view=o365-worldwide\" target=\"_blank\">Auditing solutions in Microsoft Purview<\/a>.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><a href=\"https:\/\/help.metashare.com\/en\/faq\/how-to-use-microsoft-365s-unified-audit-log\/#extending-the-audit-record-retention-period\"><\/a>Extending the audit record retention period<\/h2>\n\n\n\n<p>If you only have the basic 90-day audit record retention, you can, on a regular basis, run audit using PowerShell or APIs, and save the audit reports in an external repository. There are also third-party tools that deliver these capabilities, e.g.:<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a href=\"https:\/\/www.lepide.com\/\" target=\"_blank\" rel=\"noreferrer noopener\">Lepide Auditor for SharePoint<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.manageengine.com\/sharepoint-management-reporting\/\" target=\"_blank\" rel=\"noreferrer noopener\">ManageEngine SharePoint Manager Plus<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.solarwinds.com\/access-rights-manager\/use-cases\/sharepoint-audit-tool\" target=\"_blank\" rel=\"noreferrer noopener\">Solarwinds SharePoint Online Audit Log Tool<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.netwrix.com\/sharepoint_auditing.html\" target=\"_blank\" rel=\"noreferrer noopener\">Netwrix Auditor for SharePoint and Teams<\/a><\/li>\n\n\n\n<li><a rel=\"noreferrer noopener\" href=\"https:\/\/splunkbase.splunk.com\/app\/4055\/\" target=\"_blank\">Splunk Add-on for Microsoft Office 365<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.syskit.com\/products\/spdockit\/solutions\/spdockit-sharepoint-audit-log-reports\/\" target=\"_blank\" rel=\"noreferrer noopener\">SysKit SPDocKit<\/a><\/li>\n\n\n\n<li><a href=\"https:\/\/www.intelex.com\/landing\/audit-management-software\" target=\"_blank\" rel=\"noreferrer noopener\">Intelex Audit Management Software<\/a><\/li>\n<\/ul>\n\n\n\n<div class=\"wp-block-group has-text-bright-color has-accent-1-background-color has-text-color has-background\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<h2 class=\"wp-block-heading has-text-bright-color has-text-color\">Secure your documents with MetaShare<\/h2>\n\n\n\n<p>Security incidents can happen to everyone. Having a good structure and easy to use tools will however significantly reduce the risks. With MetaShare your workspaces are automatically configured according to best practices, so that it is easy for your collegues to collaborate in a secure way.<\/p>\n\n\n\n<div class=\"wp-block-buttons is-layout-flex wp-block-buttons-is-layout-flex\">\n<div class=\"wp-block-button\"><a class=\"wp-block-button__link wp-element-button\" href=\"https:\/\/metashare.com\/en\/pricing\/#try-free\">Try now<\/a><\/div>\n<\/div>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>Thousands of user and admin operations, performed in dozens of Microsoft 365 services and solutions, are captured, recorded, and retained in a unified audit log, available in Microsoft Purview. Using the audit log search tool, &#8230; <\/p>\n<p class=\"read-more-container\"><a title=\"Investigate incidents with Microsoft\u00a0365 Audit\u00a0Log\" class=\"read-more button\" href=\"https:\/\/ways.se\/en\/articles\/investigate-incidents-with-microsoft-365-audit-log\/\" aria-label=\"Read more about Investigate incidents with Microsoft\u00a0365 Audit\u00a0Log\">Read more<\/a><\/p>\n","protected":false},"author":6,"featured_media":43620,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[110],"tags":[],"class_list":["post-16149","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-articles","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-33","no-featured-image-padding"],"acf":[],"_links":{"self":[{"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/posts\/16149","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/comments?post=16149"}],"version-history":[{"count":29,"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/posts\/16149\/revisions"}],"predecessor-version":[{"id":43659,"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/posts\/16149\/revisions\/43659"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/media\/43620"}],"wp:attachment":[{"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/media?parent=16149"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/categories?post=16149"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ways.se\/en\/wp-json\/wp\/v2\/tags?post=16149"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}