Searching the audit log in O365

1. In the Security & Compliance Center, click Search & investigation > Audit log search.
   
2. Configure the following search criteria (Note: Leave this box blank to return entries for all files, folders, and URLs in your organization):
   • Activities. Click the drop-down list to display the activities that you can search for. User and admin activities are organized into groups of related activities. You can select specific activities, or you can click the activity group name to select all activities in the group. You can also click a selected activity to clear the selection. After you run the search, only the audit log entries for the selected activities are displayed. Selecting Show results for all activities will display results for all activities performed by the selected user or group of users. Over 100 user and admin activities are logged in the Office 365 audit log. Click the Audited activities tab in this topic to see a list of descriptions of each activity for the different Office 365 services.
   • Start date and End date. The last seven days are selected by default. Select a date and time range to display the events that occurred within that period. The date and time are presented in Coordinated Universal Time (UTC) format. The maximum date range that you can specify is 90 days. An error is displayed if the selected date range is greater than 90 days.
   • Users. Click in this box and then select one or more users to display search results for. The audit log entries for the selected activity performed by the users you select in this box are displayed in the list of results. Leave this box blank to return entries for all users (and service accounts) in your organization.
   • File, folder, or site. Type some or all of a file or folder name to search for activity related to the file or folder that contains the specified keyword. You can also specify a URL or part of a URL to display entries for activity on any object in the specified URL path. Note that special characters, such as forward slash (/), back slash (), dash (-), and underscore (_), aren’t supported in the search query. Be sure to replace special characters with a space. For example, to search for activity in a OneDrive for Business site, such as https://contoso-mysharepoint.com/personal/cloud_contoso_onmicrosoft_com, you could type the following in this search field: personal cloud contoso.
3. Click Search to run the search using your search criteria.

The search results are loaded, and after a few moments they are displayed under Results. When the search is finished, the number of results found is displayed. Note that a maximum of 1000 events will be displayed; if more than 1000 events meet the search criteria, the newest 1000 events are displayed.

Tips for searching the audit log

Additional considerations when searching the audit log include:

• If you’re using the maximum date range of 90 days, select the current time for the Start date. Otherwise, you’ll receive an error saying that the start date is earlier than the end date. If you’ve turned on auditing within the last 90 days, the maximum date range can’t start before the date that auditing was turned on.

• You can select specific activities to search for by clicking on the activity name. Or you can search for all activities in a group (such as File and folder activities) by clicking on the group name. If an activity is selected, you can click it to cancel the selection. You can also use the search box to display the activities that contain the keyword that you type.

• You must select Show results for all activities in the Activities list to display entries from the Exchange admin audit log. Events from this audit log display a cmdlet name (for example, Set-Mailbox) in the Activity column in the results.

• Click Clear to clear the current search criteria. The date range returns to the default of the last seven days. You can also click Clear all to show results for all activities to cancel all selected activities.

• If 1000 results are found, you can assume that more than 1000 events met the search criteria. You can either refine the search criteria and rerun the search to return fewer results, or you can export all the search results by selecting Export results > Download all results.