Chat now with support
Chat with Support

Change Auditor 7.0.3 - Office 365 and Azure Active Directory User Guide

Custom searches

You can create custom searches to meet your specific needs by using the following search properties tabs to define the criteria:

 

NOTE: Selecting the Private folder creates a search that only you can run and view, whereas selecting the Shared folder creates a search that all users can view and run.

The following examples show how to use searches to find the information you need.

Creating custom Exchange Online searches

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and click Subsystem | Office 365.
NOTE: You can use Add with Events | Subsystem | Office 365 (instead of Add | Subsystem | Office 365) to search for events associated with an online mailbox or administrative action that already has an event associated with it.
6
Choose the Selected Events option to configure the search.
7
Select the Mailbox Event option.

To search for activities performed on a specific mailbox

1
Select Mailbox Name to specify the mailbox to include.
2
Select the comparison operator to use: Contains or Does Not Contain. Enter the pattern (character string) to be used to search for a match. For example: Contains admin finds all events for mailboxes that contain ‘admin’ anywhere in their name.
3
Click Add to add the expression to the selection list at the bottom of the page.

Repeat this process to add any additional mailboxes to the search query.

To search for all activities performed on a specific folder and its contents across all monitored mailboxes

1
Select Folder Name to specify the folder to include.
2
Select the comparison operator to use: Contains or Does Not Contain. Enter the pattern (character string) to be used to search for a match. For example: Contains Inbox finds all events in ‘Inbox’ folder across all audited mailboxes.
3
Click Add to add the expression to the selection list at the bottom of the page.

Repeat this process to add any additional folders to the search query.

To search for all activities by specific synchronized accounts based on their on-premises account name

1
Select On-Premises User Name to specify the user to include.
2
Select the comparison operator to use: Like or Not Like. Enter the pattern (character string and * wildcard character) to be used to search for a match. For example: Like *admin* finds all events performed by accounts that were synchronized from on-premises Active Directory that contain ‘admin’ anywhere in their sAMAccountName attribute.
3
Click Add to add the expression to the selection list.

Repeat this process to add any additional users to the search query.

To search for all activities performed on synchronized mailboxes based on their on-premises account name

 

1
Select On-Premises Target Name to specify the user to include. Use this format domain\username.
2
Select the comparison operator to use: Like or Not Like. Enter the pattern (character string and * wildcard character) to be used to search for a match. For example: Like *admin* finds all events performed on synchronized mailboxes that have ‘admin’ anywhere in their on-premises sAMAccountName attribute.
3
Click Add to add the expression to the selection list.

Repeat this process to add any additional mailboxes to the search query.

To search for activities performed on specific mailboxes based on their mailbox display name

 

 

1
Select Target Display Name to specify the mailbox to include.
2
Select the comparison operator to use: Like or Not Like. Enter the pattern (character string and * wildcard character) to be used to search for a match. For example: Like *admin* finds all events for mailboxes that contain ‘admin’ anywhere in their mailbox display name.
3
Click Add to add the expression to the selection list.

Repeat this process to add any additional mailboxes to the search query.

To search for activities performed on specific mailboxes based on their synchronization status

1
Select Target Sync Type to specify the type of mailbox accounts to include based on how they are synchronized.
2
Select In cloud to include mailboxes existing only in the cloud.
3
Select Synced from AD to include mailboxes that have been synchronized from on-premises Active Directory.
4
Click Add to add the expression to the selection list.
1
On the What tab, expand Add and click Subsystem | Office 365.
2
On the Office 365 Exchange Online dialog, choose the Selected Events option to configure the search.
a
Select the Administration Cmdlet Event option.
Click Cmdlet Name and select the comparison operator to use: Contains or Does not contain. Enter the ‘command’ to use to search for a match. For example, to search for any ‘add’ users, enter add.
Click Cmdlet Parameters select the comparison operator to use (Contains or Does not contain), and enter the name (or partial name) of a parameter to use to search for a match.
Click Parameter Values select the comparison operator to use (Contains or Does not contain), and enter the value to use to search for a match.
Click Cmdlet Object, select the comparison operator to use (Contains or Does not contain), and enter the name (or partial name) of a mailbox to use to search for a match.
NOTE:  

Creating a custom SharePoint Online and OneDrive for Business search

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and click Subsystem | Office 365.
6
Choose the Selected Events option to configure the search.
7
Select SharePoint/OneDrive Events.
Select the Operation filter to specify the operation to include in the search. Select a comparison operator (Like or Not like) and enter an operation name (character string and the * wildcard character). For example: Like *delete* will search for events where Operation contains ‘delete’. For a list of all available operations, see the Microsoft support article “Search the audit log in the Office 365 Security & Compliance Center”.
Select Site URL filter to specify the full or partial URL to include in the search. Select a comparison operator (Like or Not like) and enter a string (character string and the * wildcard character).
Select the Target filter to specify the full or partial name of the operation target (for example, the folder, file, user, or group) to include in the search. Select a comparison operator (Like or Not like) and enter a string (character string and the * wildcard character). This search field corresponds to the contents of the Object Name column in the results grid.
9
Click Add to add the expression to the selection list.

Displaying additional SharePoint Online and OneDrive for Business information

When auditing Office 365, you can add columns to display extra SharePoint Online and OneDrive for Business information through the search Layout tab:

Azure - O365 Site URL

Site Url

The SharePoint Online or OneDrive for Business website URL.

Azure - Activity Name/Operation

Activity Name/Operation

This field matches Operation property in the Office 365 Audit log.

Related Documents