|
3 |
Click New to enable the Search Properties tabs across the bottom of the Searches page. |
|
5 |
|
NOTE: You can use Add with Events | Subsystem | Microsoft 365 (instead of Add | Subsystem | Microsoft 365) to search for events associated with an online mailbox or administrative action that already has an event associated with it. |
|
6 |
Choose the Selected Events option to configure the search. |
|
7 |
Select the Mailbox Event option. |
Repeat this process to add any additional mailboxes to the search query. | |||||||||
Repeat this process to add any additional folders to the search query. | |||||||||
Repeat this process to add any additional users to the search query. | |||||||||
Repeat this process to add any additional mailboxes to the search query. | |||||||||
|
To search for activities performed on specific mailboxes based on their mailbox display name |
Repeat this process to add any additional mailboxes to the search query. | ||||||||
|
To search for activities performed on specific mailboxes based on their synchronization status |
|
|
1 |
|
2 |
On the Microsoft 365 Exchange Online dialog, choose the Selected Events option to configure the search. |
|
a |
Select the Administration Cmdlet Event option. |
|
• |
Click Cmdlet Name and select the comparison operator to use: Contains or Does not contain. Enter the ‘command’ to use to search for a match. For example, to search for any ‘add’ users, enter add. |
|
• |
Click Cmdlet Parameters select the comparison operator to use (Contains or Does not contain), and enter the name (or partial name) of a parameter to use to search for a match. |
|
• |
Click Parameter Values select the comparison operator to use (Contains or Does not contain), and enter the value to use to search for a match. |
|
• |
Click Cmdlet Object, select the comparison operator to use (Contains or Does not contain), and enter the name (or partial name) of a mailbox to use to search for a match. |
|
2 |
|
3 |
Click New to enable the Search Properties tabs across the bottom of the Searches page. |
|
5 |
|
6 |
Choose the Selected Events option to configure the search. |
|
7 |
Select SharePoint/OneDrive Events. |
|
• |
Select the Operation filter to specify the operation to include in the search. Select a comparison operator (Like or Not like) and enter an operation name (character string and the * wildcard character). For example: Like *delete* will search for events where Operation contains ‘delete’. For a list of all available operations, see the Microsoft support article “Search the audit log in the Microsoft 365 Security & Compliance Center”. |
|
• |
Select Site URL filter to specify the full or partial URL to include in the search. Select a comparison operator (Like or Not like) and enter a string (character string and the * wildcard character). |
|
• |
Select the Target filter to specify the full or partial name of the operation target (for example, the folder, file, user, or group) to include in the search. Select a comparison operator (Like or Not like) and enter a string (character string and the * wildcard character). This search field corresponds to the contents of the Object Name column in the results grid. |
|
9 |
Click Add to add the expression to the selection list. |
|
This field matches Operation property in the Microsoft 365 Audit log. |
|
2 |
|
3 |
Click New to enable the Search Properties tabs across the bottom of the Searches page. |
|
4 |
On the Info tab, enter a name and description for the search. |
|
5 |
|
NOTE: You can use Add with Events | Subsystem | Microsoft Entra to select an existing event from the database and use its properties as a filter for a new search. |
|
6 |
Select All Events. |
|
7 |
Select the Layout tab and choose the Microsoft Entra information to include. |
|
8 |
Click OK to save your selection and close the dialog. |
|
3 |
Click New to enable the Search Properties tabs across the bottom of the Searches page. |
|
4 |
On the Info tab, enter a name and description for the search. |
|
5 |
|
6 |
Group by the Facility column. |
|
• |
To add all events within a facility, select the required Microsoft Entra facility, click Add | Add All Events in Facility, and click OK. |
|
• |
|
7 |
Select the Layout tab and choose the Microsoft Entra ID information to include. |
|
2 |
|
3 |
Click New to enable the Search Properties tabs across the bottom of the Searches page. |
|
5 |
|
NOTE: You can use Add with Events | Subsystem | Microsoft Entra to select an existing event from the database and use its properties as a filter for a new search. |
|
6 |
Select Selected Events to configure the search. |
|
• |
Select the Category filter to specify the event category to include in the search. Select a comparison operator (Like or Not like) and enter a category name. For example, if you are interested only in activities related to self-service password resets, you would choose the “Self-service Password Management” category. |
|
• |
Select the Activity Type filter to specify the activity to include in the search. Select a comparison operator (Like or Not like) and enter an activity type. For example, to only show user related activities you would select “User” as the activity type. |
|
• |
Select the Activity Name filter to specify the activity to include in the search. (For sign-in risk events, this will show the detected activity that occurred on the risk event.) Select a comparison operator (Like or Not like) and enter an activity name (character string and the * wildcard character). For example: Like *delete* will search for events where Activity contains ‘delete’. |
|
• |
Select the Activity Details filter to include activity details in the search. (For sign-in risk events use the status of the risk event, such as Resolved). Select a comparison operator (Like or Not like) and enter a full or partial string (character string and the * wildcard character). For example, the 'Self-serve password reset flow activity progress' activity provides several different details including: User started the mobile SMS verification option, User started the e-mail verification option, or User successfully reset password. You can leave this filter blank to return events for all activities or narrow the search based on the activity details. |
|
• |
Select the Target filter to specify the target (primary and secondary targets) to include in the search. (For sign-in risk events, the field searches for the risk event type such as Sign-in from anonymous IP address). Select a comparison operator (Like or Not like) and enter a full or partial name (character string and the * wildcard character). The Target filter searches across the following properties: Object Name (Cloud Target Name), Target Display Name, On-Premises Target, Subject Name, Subject Display Name, and On-Premises Subject. |
|
• |
Select the Location filter to specify the country, state, or city to include in the search. Select a comparison operator (Like or Not like) and enter a full or partial name (character string and the * wildcard character). |
|
7 |
Click Add to add the expression to the selection list. |
|
9 |
Select the Layout tab and choose the Microsoft Entra ID information to include. |
