Search for eDiscovery activities in the Office 365 audit log

Content Search and eDiscovery-related activities that are performed in Office 365 Security & Compliance Center or by running the corresponding Windows PowerShell cmdlets are logged in the Office 365 audit log. Events are logged when administrators or compliance administrators (or any user that's assigned eDiscovery permissions) perform the following Content Search and eDiscovery-related tasks in the Office 365 Security & Compliance Center:

  • Creating and managing eDiscovery cases

  • Creating, starting, and editing Content Searches

  • Performing Content Search actions, such as previewing, exporting, and deleting search results

  • Configuring permissions filtering for Content Search

  • Managing the eDiscovery Administrator role

Important: The activities described in this article are only the result of eDiscovery tasks performed by using the Security & Compliance Center. eDiscovery tasks that were performed by using the In-Place eDiscovery tool in Exchange Online or the eDiscovery Center in SharePoint Online aren't included.

For more information about searching the Office 365 audit log, the permissions that are required, and exporting search results, see Search the audit log in the Office 365 Security & Compliance Center.

How to search for and view eDiscovery activities

Currently, you have to do a few specific things to view eDiscovery activities in the Office 365 audit log. Here's how.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the left pane, click Search & investigation, and then click Audit log search.

  4. In the Activities drop-down list, under eDiscovery activities, click one or more activities to search for. Or you can click eDiscovery activities to search for all eDiscovery-related activities.

    Under "eDiscovery activities" click one or more eDiscovery-related activities to search for
  5. Select a date and time range to display eDiscovery events that occurred within that period.

  6. In the Users box, select one or more users to display search results for. Leave this box blank to return entries for all users.

  7. Click Search to run the search using your search criteria.

  8. After the search results are displayed, click Filter results.

  9. In the Activity box, you can do a number of different things so that only eDiscovery-related activities are displayed in the results list. See the Operation column in the table in eDiscovery activities section for the names of eDiscovery-related activities that you can filter on.

    • Because the activity name for an eDiscovery is a cmdlet name, type a (dash). Then you can sort the cmdlet names in alphabetical order.

    • Type that partial or full name of the eDiscovery activity. For example, typing ComplianceSearch or -ComplianceSearch will display all Content Search and Content Search action activities; typing Case or -Case will display activities related to eDiscovery cases.

    Note: Unfortunately, you can't use filtering to explicitly exclude certain activities.

  10. To view details about an activity, click the activity record in the list of search results.

    A Details page is displayed that contains the detailed properties from the event record. To display additional details, click More information. For a description of these properties, see the Detailed properties for eDiscovery activities section.

Return to top

eDiscovery activities

The following table lists the activities that are logged when an administrator or user performs an eDiscovery-related activity by using the Security & Compliance Center or by running the corresponding cmdlet in remote PowerShell that's connected to your organization's Security & Compliance Center.

Tip: The cmdlets in the Operation column are linked to the corresponding cmdlet help topic on TechNet. Go to the cmdlet help topic for a description of the available parameters for each cmdlet. The parameter and the parameter value that was used with a cmdlet is included in the audit log entry for each eDiscovery activity that's logged.

Friendly name

Operation (cmdlet)

Description

Created hold in eDiscovery case

New-CaseHoldPolicy

A hold was created for an eDiscovery case. A hold can be created with or without specifying a content source. If content sources are specified, they'll be identified in the audit log entry.

Deleted hold from eDiscovery case

Remove-CaseHoldPolicy

A hold that is associated with an eDiscovery case was deleted. Deleting a hold releases all of the content locations from the hold. Deleting the hold also results in deleting the case hold rules associated with the hold (see Remove-CaseHoldRule below).

Changed hold in eDiscovery case

Set-CaseHoldPolicy

A hold that is associated with an eDiscovery was changed. Possible changes include adding or removing content locations or turning off (disabling) the hold.

Created search query for eDiscovery case hold

New-CaseHoldRule

A query-based hold associated with an eDiscovery case was created.

Deleted search query for eDiscovery case hold

Remove-CaseHoldRule

A query-based hold associated with an eDiscovery case was deleted. Removing the query from the hold is often the result of deleting a hold. When a hold or a hold query are deleted, the content locations that were on hold are released.

Changed search query for eDiscovery case hold

Set-CaseHoldRule

A query-based hold associated with an eDiscovery case was changed. Possible changes include editing the query or date range for a query-based hold.

Created eDiscovery case

New-ComplianceCase

An eDiscovery case was created. When a case is created, you only have to give it a name. Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.

Deleted eDiscovery case

Remove-ComplianceCase

An eDiscovery case was deleted. Note that any hold associated with the case has to be removed before the case can be deleted.

Changed eDiscovery case

Set-ComplianceCase

An eDiscovery case was changed. Changes include closing an open case or re-opening a closed case.

Added member to eDiscovery case

Add-ComplianceCaseMember

A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they have been assigned the necessary permissions.

Removed member from eDiscovery case

Remove-ComplianceCaseMember

A user was removed as a member of an eDiscovery case.

Changed eDiscovery case membership

Update-ComplianceCaseMember

The membership list of an eDiscovery case was changed. This activity is logged when all members are replaced with a group of new users. If a single member is added or removed, the Add-ComplianceCaseMember or Remove-ComplianceCaseMember operation is logged.

Created content search

New-ComplianceSearch

A new content search was created.

Deleted content search

Remove-ComplianceSearch

An existing content search was deleted.

Changed content search

Set-ComplianceSearch

An existing content search was changed. Changes can include adding or removing content locations that are searched and editing the search query.

Started content search

Start-ComplianceSearch

A content search was started. When you create or change a content search by using the Security & Compliance Center GUI, the search is automatically started. If you create or change a search by using the New-ComplianceSearch or Set-ComplianceSearch cmdlet, you have to run the Start-ComplianceSearch cmdlet to start the search.

Stopped content search

Stop-ComplianceSearch

A content search that was running was stopped.

Created content search action

New-ComplianceSearchAction

A content search action was created. Content search actions include previewing search results, exporting search results, preparing search results for analysis in Office 365 Advanced eDiscovery, and permanently deleting items that match the search criteria of a content search.

Deleted content search action

Remove-ComplianceSearchAction

A content search action was deleted.

Created search permissions filter

New-ComplianceSecurityFilter

A search permissions filter was created.

Deleted search permissions filter

Remove-ComplianceSecurityFilter

A search permissions filter was deleted.

Changed search permissions filter

Set-ComplianceSecurityFilter

A search permissions filter was changed.

Created eDiscovery administrator

Add-eDiscoveryCaseAdmin

A user was added as an eDiscovery Administrator in your organization.

Deleted eDiscovery administrator

Remove-eDiscoveryCaseAdmin

An eDiscovery Administrator was deleted from your organization.

Changed eDiscovery administrator membership

Update-eDiscoveryCaseAdmin

The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the Add-eDiscoveryCaseAdmin or Remove-eDiscoveryCaseAdmin operation is logged.

Return to top

Detailed properties for eDiscovery activities

The following table describes the properties that are included when you click More information on the Details page for an eDiscovery activity listed in the search results. These properties are also included in the CSV file when you export the audit log search results.

Tip: When you export the search results, the CSV file contains a column named Detail, which contains the detailed properties described in the following table in a multi-value property. You can use the Power Query feature in Excel to split this column into multiple columns so that each property will have its own column. This will let you sort and filter on one or more of these properties. For more information, see the "Export the search results to a file" section in Search the audit log in the Office 365 Security & Compliance Center.

Property

Description

ClientApplication

All eDiscovery activities have a value of EMC for this property. This indicates that the activity was performed by using the Security & Compliance Center GUI or running the cmdlet in PowerShell.

ClientIP

The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.

ClientRequestId

For eDiscovery activities, this property is typically blank.

CmdletVersion

The build number for the version of the Security & Compliance Center running in your organization.

CreationTime

The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was completed.

EffectiveOrganization

The name of the your Office 365 organization.

Id

The ID of the report entry. The ID uniquely identifies the audit log entry.

NonPIIParameters

A list of the parameters (without any values) that were used with the cmdlet identified in the Operation property. The parameters listed in this property are the same as those listed in the Parameters property.

ObjectId

The GUID of the object (for example, a Content Search or an eDiscovery case) that was created, changed, or deleted by the cmdlet listed in the Operation property.

Operation

The name of the eDiscovery activity. The value of this property is the name cmdlet that was run, either by performing that related task in the Security & Compliance Center or by running the corresponding PowerShell cmdlet.

OrganizationId

The GUID for your Office 365 organization.

Parameters

The name and value for all parameters that were used with the cmdlet that is identified in the Operation property.

RecordType

The type of operation indicated by the record. The value of 18 indicates a Security & Compliance Center event. All eDiscovery activities will have a value of 18 for this property.

ResultStatus

Indicates whether the action (specified in the Operation property) was successful or not.

SecurityComplianceCenterEventType

Indicates that the activity was a Security & Compliance Center event. All eDiscovery activities will have a value of 0 for this property.

StartTime

The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was started.

UserId

The user who performed the activity (specified in the Operation property) that resulted in the record being logged. Note that records for eDiscovery activity performed by system accounts (such as NT AUTHORITY\SYSTEM) are also included in the audit log.

UserKey

An alternative ID for the user identified in the UserId property. For eDiscovery activities, the value for this property is typically the same as the UserId property.

UserServicePlan

The Office 365 subscription used by your organization. For eDiscovery activities, this property is typically blank.

UserType

The type of user that performed the operation. The following values indicate the user type.

0      A regular user.

2      An administrator in your Office 365 organization.

3      A Microsoft datacenter administrator or datacenter system account.

4      A system account.

5      An application.

6      A service principal.

Version

Indicates the version number of the activity (identified by the Operation property) that's logged.

Workload

The Office 365 service where the activity occurred. For eDiscovery activities, the value is SecurityComplianceCenter.

Return to top

Share Facebook Facebook Twitter Twitter Email Email

Was this information helpful?

Great! Any other feedback?

How can we improve it?

Thank you for your feedback!

×