Search for eDiscovery activities in the Office 365 audit log

Content Search and eDiscovery-related activities that are performed in Office 365 Security & Compliance Center or by running the corresponding Windows PowerShell cmdlets are logged in the Office 365 audit log. Events are logged when administrators or compliance administrators (or any user that's assigned eDiscovery permissions) perform the following Content Search and eDiscovery-related tasks in the Office 365 Security & Compliance Center:

  • Creating and managing eDiscovery cases

  • Creating, starting, and editing Content Searches

  • Performing Content Search actions, such as previewing, exporting, and deleting search results

  • Configuring permissions filtering for Content Search

  • Managing the eDiscovery Administrator role

Important: The activities described in this article are only the result of eDiscovery tasks performed by using the Security & Compliance Center. eDiscovery tasks that were performed by using the In-Place eDiscovery tool in Exchange Online or the eDiscovery Center in SharePoint Online aren't included.

For more information about searching the Office 365 audit log, the permissions that are required, and exporting search results, see Search the audit log in the Office 365 Security & Compliance Center.

How to search for and view eDiscovery activities

Currently, you have to do a few specific things to view eDiscovery activities in the Office 365 audit log. Here's how.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the left pane, click Search & investigation, and then click Audit log search.

  4. In the Activities drop-down list, under eDiscovery activities, click one or more activities to search for. Or you can click eDiscovery activities to search for all eDiscovery-related activities.

    Note: The Activities drop-down list also includes a group of activities named eDiscovery cmdlet activities that will return records from the cmdlet audit log. Note that these eDiscovery cmdlet activities will be deprecated in the near future.

  5. Select a date and time range to display eDiscovery events that occurred within that period.

  6. In the Users box, select one or more users to display search results for. Leave this box blank to return entries for all users.

  7. Click Search to run the search using your search criteria.

  8. After the search results are displayed, you can click Filter results to filter or sort the resulting activity records. Unfortunately, you can't use filtering to explicitly exclude certain activities.

  9. To view details about an activity, click the activity record in the list of search results.

    A Details fly out page is displayed that contains the detailed properties from the event record. To display additional details, click More information. For a description of these properties, see the Detailed properties for eDiscovery activities section.

Return to top

eDiscovery activities

The following table describes the Content Search and eDiscovery-related activities that are logged when an administrator or user performs an eDiscovery-related activity by using the Security & Compliance Center or by running the corresponding cmdlet in remote PowerShell that's connected to your organization's Security & Compliance Center.

Note: The eDiscovery activities described in this section provide similar information to the eDiscovery cmdlet activities described in the next section. We recommend that you use the eDiscovery activities described in this section because they will appear in the audit log search results within 30 minutes. It might take up to 24 hours for the eDiscovery cmdlet activities to appear in the audit log search results.

Friendly name

Operation

Corresponding cmdlet

Description

Added member to eDiscovery case

CaseMemberAdded

Add-ComplianceCaseMember

A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they have been assigned the necessary permissions.

Changed content search

SearchUpdated

Set-ComplianceSearch

An existing content search was changed. Changes can include adding or removing content locations or editing the search query.

Changed eDiscovery administrator membership

CaseAdminUpdated

Update-eDiscoveryCaseAdmin

The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the CaseAdminAdded operation is logged.

Changed eDiscovery case

CaseUpdated

Set-ComplianceCase

An eDiscovery case was changed. Changes include closing an open case or re-opening a closed case.

Changed eDiscovery case membership

CaseMemberUpdated

Update-ComplianceCaseMember

The membership list of an eDiscovery case was changed. This activity is logged when all members are replaced with a group of new users. If a single member is added or removed, CaseMemberAdded or CaseMemberRemoved operation is logged.

Changed search permissions filter

SearchPermissionUpdated

Set-ComplianceSecurityFilter

A search permissions filter was changed.

Changed search query for eDiscovery case hold

HoldUpdated

Set-CaseHoldRule

A query-based hold associated with an eDiscovery case was changed. Possible changes include editing the query or date range for a query-based hold.

Content search preview item downloaded

PreviewItemDownloaded

N/A

A user downloaded an item to their local computer (by clicking the Download original item link) when previewing search results.

Content search preview item listed

PreviewItemListed

N/A

A user clicked Preview search results to display the preview search results page, which lists up to 1000 items from the results of a Content Search.

Content search preview item viewed

PreviewItemRendered

N/A

An eDiscovery manager viewed an item by clicking it when previewing search results.

Created content search

SearchCreated

New-ComplianceSearch

A new content search was created.

Created eDiscovery administrator

CaseAdminAdded

Add-eDiscoveryCaseAdmin

A user was added as an eDiscovery Administrator in the organization.

Created eDiscovery case

CaseAdded

New-ComplianceCase

An eDiscovery case was created. When a case is created, you only have to give it a name. Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.

Created search permissions filter

SearchPermissionCreated

New-ComplianceSecurityFilter

A search permissions filter was created.

Created search query for eDiscovery case hold

HoldCreated

New-CaseHoldRule

A query-based hold associated with an eDiscovery case was created.

Deleted content search

SearchRemoved

Remove-ComplianceSearch

An existing content search was deleted.

Deleted eDiscovery administrator

CaseAdminRemoved

Remove-eDiscoveryCaseAdmin

An eDiscovery Administrator was deleted from your organization.

Deleted eDiscovery case

CaseRemoved

Remove-ComplianceCase

An eDiscovery case was deleted. Note that any hold associated with the case has to be removed before the case can be deleted.

Deleted search permissions filter

SearchPermissionRemoved

Remove-ComplianceSecurityFilter

A search permissions filter was deleted.

Deleted search query for eDiscovery case hold

HoldRemoved

Remove-CaseHoldRule

A query-based hold associated with an eDiscovery case was deleted. Removing the query from the hold is often the result of deleting a hold. When a hold or a hold query are deleted, the content locations that were on hold are released.

Downloaded export of content search

SearchResultDownloaded

N/A

A user downloaded the results of a content search to their local computer. Note that a Started export of content search activity has to be initiated before search results can be downloaded.

Previewed results of content search

SearchPreviewed

N/A

A user previewed the results of a content search.

Purged results of content search

SearchResultsPurged

New-ComplianceSearchAction

A user purged the results of a Content Search by running the New-ComplianceSearchAction -Purge command.

Removed analysis of content search

RemovedSearchResultsSentToZoom

Remove-ComplianceSearchAction

A content search prepare action (to prepare search results for Office 365 Advanced eDiscovery) was deleted. If the preparation action was less than two weeks old, the search results that were prepared for Advanced eDiscovery were deleted from the Microsoft Azure storage area. If the preparation action was older than 2 weeks, then this event indicates that only the corresponding preparation action was deleted.

Removed export of content search

RemovedSearchExported

Remove-ComplianceSearchAction

A content search export action was deleted. If the export action was less than two weeks old, the search results that were uploaded to the Microsoft Azure storage area were deleted. If the export action was older than 2 weeks, then this event indicates that only the corresponding export action was deleted.

Removed member from eDiscovery case

CaseMemberRemoved

Remove-ComplianceCaseMember

A user was removed as a member of an eDiscovery case.

Removed preview results of content search

RemovedSearchPreviewed

Remove-ComplianceSearchAction

A content search preview action was deleted.

Removed purge action performed on content search

RemovedSearchResultsPurged

Remove-ComplianceSearchAction

A content search purge action was deleted.

Removed search report

SearchReportRemoved

Remove-ComplianceSearchAction

A content search export report action was deleted.

Started analysis of content search

SearchResultsSentToZoom

New-ComplianceSearchAction

The results of a content search were prepared for analysis in Advanced eDiscovery.

Started content search

SearchStarted

Start-ComplianceSearch

A content search was started. When you create or change a content search by using the Security & Compliance Center GUI, the search is automatically started. If you create or change a search by using the New-ComplianceSearch or Set-ComplianceSearch cmdlet, you have to run the Start-ComplianceSearch cmdlet to start the search.

Started export of content search

SearchExported

New-ComplianceSearchAction

A user exported the results of a content search.

Started export report

SearchReport

New-ComplianceSearchAction

A user exported a content search report.

Stopped content search

SearchStopped

Stop-ComplianceSearch

A user stopped a content search.

Return to top

eDiscovery cmdlet activities

The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the Security & Compliance Center or by running the corresponding cmdlet in remote PowerShell that's connected to your organization's Security & Compliance Center. Note that the detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section.

Tip: The cmdlets in the Operation column are linked to the corresponding cmdlet help topic on TechNet. Go to the cmdlet help topic for a description of the available parameters for each cmdlet. The parameter and the parameter value that were used with a cmdlet are included in the audit log entry for each eDiscovery cmdlet activity that's logged.

Friendly name

Operation (cmdlet)

Description

Created hold in eDiscovery case

New-CaseHoldPolicy

A hold was created for an eDiscovery case. A hold can be created with or without specifying a content source. If content sources are specified, they'll be identified in the audit log entry.

Deleted hold from eDiscovery case

Remove-CaseHoldPolicy

A hold that is associated with an eDiscovery case was deleted. Deleting a hold releases all of the content locations from the hold. Deleting the hold also results in deleting the case hold rules associated with the hold (see Remove-CaseHoldRule below).

Changed hold in eDiscovery case

Set-CaseHoldPolicy

A hold that is associated with an eDiscovery was changed. Possible changes include adding or removing content locations or turning off (disabling) the hold.

Created search query for eDiscovery case hold

New-CaseHoldRule

A query-based hold associated with an eDiscovery case was created.

Deleted search query for eDiscovery case hold

Remove-CaseHoldRule

A query-based hold associated with an eDiscovery case was deleted. Removing the query from the hold is often the result of deleting a hold. When a hold or a hold query are deleted, the content locations that were on hold are released.

Changed search query for eDiscovery case hold

Set-CaseHoldRule

A query-based hold associated with an eDiscovery case was changed. Possible changes include editing the query or date range for a query-based hold.

Created eDiscovery case

New-ComplianceCase

An eDiscovery case was created. When a case is created, you only have to give it a name. Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.

Deleted eDiscovery case

Remove-ComplianceCase

An eDiscovery case was deleted. Note that any hold associated with the case has to be removed before the case can be deleted.

Changed eDiscovery case

Set-ComplianceCase

An eDiscovery case was changed. Changes include closing an open case or re-opening a closed case.

Added member to eDiscovery case

Add-ComplianceCaseMember

A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they have been assigned the necessary permissions.

Removed member from eDiscovery case

Remove-ComplianceCaseMember

A user was removed as a member of an eDiscovery case.

Changed eDiscovery case membership

Update-ComplianceCaseMember

The membership list of an eDiscovery case was changed. This activity is logged when all members are replaced with a group of new users. If a single member is added or removed, the Add-ComplianceCaseMember or Remove-ComplianceCaseMember operation is logged.

Created content search

New-ComplianceSearch

A new content search was created.

Deleted content search

Remove-ComplianceSearch

An existing content search was deleted.

Changed content search

Set-ComplianceSearch

An existing content search was changed. Changes can include adding or removing content locations that are searched and editing the search query.

Started content search

Start-ComplianceSearch

A content search was started. When you create or change a content search by using the Security & Compliance Center GUI, the search is automatically started. If you create or change a search by using the New-ComplianceSearch or Set-ComplianceSearch cmdlet, you have to run the Start-ComplianceSearch cmdlet to start the search.

Stopped content search

Stop-ComplianceSearch

A content search that was running was stopped.

Created content search action

New-ComplianceSearchAction

A content search action was created. Content search actions include previewing search results, exporting search results, preparing search results for analysis in Office 365 Advanced eDiscovery, and permanently deleting items that match the search criteria of a content search.

Deleted content search action

Remove-ComplianceSearchAction

A content search action was deleted.

Created search permissions filter

New-ComplianceSecurityFilter

A search permissions filter was created.

Deleted search permissions filter

Remove-ComplianceSecurityFilter

A search permissions filter was deleted.

Changed search permissions filter

Set-ComplianceSecurityFilter

A search permissions filter was changed.

Created eDiscovery administrator

Add-eDiscoveryCaseAdmin

A user was added as an eDiscovery Administrator in your organization.

Deleted eDiscovery administrator

Remove-eDiscoveryCaseAdmin

An eDiscovery Administrator was deleted from your organization.

Changed eDiscovery administrator membership

Update-eDiscoveryCaseAdmin

The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the Add-eDiscoveryCaseAdmin or Remove-eDiscoveryCaseAdmin operation is logged.

Return to top

Detailed properties for eDiscovery activities

The following table describes the properties that are included when you click More information on the Details page for an eDiscovery activity listed in the search results. These properties are also included in the CSV file when you export the audit log search results. Note that an audit log record for an eDiscovery activity won't include every detailed property listed below.

Tip: When you export the search results, the CSV file contains a column named Detail, which contains the detailed properties described in the following table in a multi-value property. You can use the Power Query feature in Excel to split this column into multiple columns so that each property will have its own column. This will let you sort and filter on one or more of these properties. For more information, see the "Export the search results to a file" section in Search the audit log in the Office 365 Security & Compliance Center.

Property

Description

Case

The identity (GUID) of the eDiscovery case that was created, changed, or deleted.

ClientApplication

eDiscovery cmdlet activities have a value of EMC for this property. This indicates the activity was performed by using the Security & Compliance Center GUI or running the cmdlet in PowerShell.

ClientIP

The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.

ClientRequestId

For eDiscovery activities, this property is typically blank.

CmdletVersion

The build number for the version of the Security & Compliance Center running in your organization.

CreationTime

The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was completed.

EffectiveOrganization

The name of the your Office 365 organization.

ExchangeLocations

The Exchange Online mailboxes that are included in a content search or placed on hold in an eDiscovery case.

Exclusions

Mailbox or site locations that are excluded from a content search or a hold in an eDiscovery case.

ExtendedProperties

Additional properties from a content search, a content search action, or hold in an eDiscovery case, such as the object GUID and the corresponding cmdlet and cmdlet parameters that were used when the activity was performed.

Id

The ID of the report entry. The ID uniquely identifies the audit log entry.

NonPIIParameters

A list of the parameters (without any values) that were used with the cmdlet identified in the Operation property. The parameters listed in this property are the same as those listed in the Parameters property.

ObjectId

The GUID or name of the object (for example, a Content Search or an eDiscovery case) that was created, changed, or deleted by the activity listed in the Operation property. This object is also identified in the Item column in the audit log search results.

ObjectType

The type of eDiscovery object that the user created, deleted, or modified; for example a content search action (preview, export, or purge), an eDiscovery case, or a content search.

Operation

The name of the operation that corresponds to the eDiscovery activity that was performed.

OrganizationId

The GUID for your Office 365 organization.

Parameters

The name and value for the parameters that were used with the corresponding cmdlet.

PublicFolderLocations

The public folder locations in Exchange Online that are included in a content search or placed on hold in an eDiscovery case.

Query

The search query associated with the activity, such as a content search or a query-based hold.

RecordType

The type of operation indicated by the record. The value of 18 indicates an event related to an activity listed in the eDiscovery cmdlet activities section. A value of 24 indicates an event related to an activity listed in the eDiscovery activities section.

ResultStatus

Indicates whether the action (specified in the Operation property) was successful or not.

SecurityComplianceCenterEventType

Indicates that the activity was a Security & Compliance Center event. All eDiscovery activities will have a value of 0 for this property.

SharepointLocations

The SharePoint Online sites that are included in a content search or placed on hold in an eDiscovery case.

StartTime

The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was started.

UserId

The user who performed the activity (specified in the Operation property) that resulted in the record being logged. Note that records for eDiscovery activity performed by system accounts (such as NT AUTHORITY\SYSTEM) are also included in the audit log.

UserKey

An alternative ID for the user identified in the UserId property. For eDiscovery activities, the value for this property is typically the same as the UserId property.

UserServicePlan

The Office 365 subscription used by your organization. For eDiscovery activities, this property is typically blank.

UserType

The type of user that performed the operation. The following values indicate the user type.

0      A regular user.

2      An administrator in your Office 365 organization.

3      A Microsoft datacenter administrator or datacenter system account.

4      A system account.

5      An application.

6      A service principal.

Version

Indicates the version number of the activity (identified by the Operation property) that's logged.

Workload

The Office 365 service where the activity occurred. For eDiscovery activities, the value is SecurityComplianceCenter.

Return to top

Expand your skills
Explore training
Get new features first
Join Office Insiders

Was this information helpful?

Thank you for your feedback!

Thank you for your feedback! It sounds like it might be helpful to connect you to one of our Office support agents.

×