Chat now with support
Chat with Support

Change Auditor 7.2 - Office 365 and Azure Active Directory User Guide

Creating custom Exchange Online searches

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and click Subsystem | Office 365.
NOTE: You can use Add with Events | Subsystem | Office 365 (instead of Add | Subsystem | Office 365) to search for events associated with an online mailbox or administrative action that already has an event associated with it.
6
Choose the Selected Events option to configure the search.
7
Select the Mailbox Event option.

To search for activities performed on a specific mailbox

1
Select Mailbox Name to specify the mailbox to include.
2
Select the comparison operator to use: Contains or Does Not Contain. Enter the pattern (character string) to be used to search for a match. For example: Contains admin finds all events for mailboxes that contain ‘admin’ anywhere in their name.
3
Click Add to add the expression to the selection list at the bottom of the page.

Repeat this process to add any additional mailboxes to the search query.

To search for all activities performed on a specific folder and its contents across all monitored mailboxes

1
Select Folder Name to specify the folder to include.
2
Select the comparison operator to use: Contains or Does Not Contain. Enter the pattern (character string) to be used to search for a match. For example: Contains Inbox finds all events in ‘Inbox’ folder across all audited mailboxes.
3
Click Add to add the expression to the selection list at the bottom of the page.

Repeat this process to add any additional folders to the search query.

To search for all activities by specific synchronized accounts based on their on-premises account name

1
Select On-Premises User Name to specify the user to include.
2
Select the comparison operator to use: Like or Not Like. Enter the pattern (character string and * wildcard character) to be used to search for a match. For example: Like *admin* finds all events performed by accounts that were synchronized from on-premises Active Directory that contain ‘admin’ anywhere in their sAMAccountName attribute.
3
Click Add to add the expression to the selection list.

Repeat this process to add any additional users to the search query.

To search for all activities performed on synchronized mailboxes based on their on-premises account name

 

1
Select On-Premises Target Name to specify the user to include. Use this format domain\username.
2
Select the comparison operator to use: Like or Not Like. Enter the pattern (character string and * wildcard character) to be used to search for a match. For example: Like *admin* finds all events performed on synchronized mailboxes that have ‘admin’ anywhere in their on-premises sAMAccountName attribute.
3
Click Add to add the expression to the selection list.

Repeat this process to add any additional mailboxes to the search query.

To search for activities performed on specific mailboxes based on their mailbox display name

 

 

1
Select Target Display Name to specify the mailbox to include.
2
Select the comparison operator to use: Like or Not Like. Enter the pattern (character string and * wildcard character) to be used to search for a match. For example: Like *admin* finds all events for mailboxes that contain ‘admin’ anywhere in their mailbox display name.
3
Click Add to add the expression to the selection list.

Repeat this process to add any additional mailboxes to the search query.

To search for activities performed on specific mailboxes based on their synchronization status

1
Select Target Sync Type to specify the type of mailbox accounts to include based on how they are synchronized.
2
Select In cloud to include mailboxes existing only in the cloud.
3
Select Synced from AD to include mailboxes that have been synchronized from on-premises Active Directory.
4
Click Add to add the expression to the selection list.
1
On the What tab, expand Add and click Subsystem | Office 365.
2
On the Office 365 Exchange Online dialog, choose the Selected Events option to configure the search.
a
Select the Administration Cmdlet Event option.
Click Cmdlet Name and select the comparison operator to use: Contains or Does not contain. Enter the ‘command’ to use to search for a match. For example, to search for any ‘add’ users, enter add.
Click Cmdlet Parameters select the comparison operator to use (Contains or Does not contain), and enter the name (or partial name) of a parameter to use to search for a match.
Click Parameter Values select the comparison operator to use (Contains or Does not contain), and enter the value to use to search for a match.
Click Cmdlet Object, select the comparison operator to use (Contains or Does not contain), and enter the name (or partial name) of a mailbox to use to search for a match.
NOTE:  

Creating a custom SharePoint Online and OneDrive for Business search

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and click Subsystem | Office 365.
6
Choose the Selected Events option to configure the search.
7
Select SharePoint/OneDrive Events.
Select the Operation filter to specify the operation to include in the search. Select a comparison operator (Like or Not like) and enter an operation name (character string and the * wildcard character). For example: Like *delete* will search for events where Operation contains ‘delete’. For a list of all available operations, see the Microsoft support article “Search the audit log in the Office 365 Security & Compliance Center”.
Select Site URL filter to specify the full or partial URL to include in the search. Select a comparison operator (Like or Not like) and enter a string (character string and the * wildcard character).
Select the Target filter to specify the full or partial name of the operation target (for example, the folder, file, user, or group) to include in the search. Select a comparison operator (Like or Not like) and enter a string (character string and the * wildcard character). This search field corresponds to the contents of the Object Name column in the results grid.
9
Click Add to add the expression to the selection list.

Displaying additional SharePoint Online and OneDrive for Business information

When auditing Office 365, you can add columns to display extra SharePoint Online and OneDrive for Business information through the search Layout tab:

Azure - O365 Site URL

Site Url

The SharePoint Online or OneDrive for Business website URL.

Azure - Activity Name/Operation

Activity Name/Operation

This field matches Operation property in the Office 365 Audit log.

Creating custom Azure Active Directory searches

3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add and click Subsystem | Azure Active Directory.
NOTE: You can use Add with Events | Subsystem | Azure Active Directory to select an existing event from the database and use its properties as a filter for a new search.
6
Select All Events.
7
Select the Layout tab and choose the Azure Active Directory information to include.
8
Click OK to save your selection and close the dialog.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
4
On the Info tab, enter a name and description for the search.
5
On the What tab, expand Add. Select Event Class.
6
Group by the Facility column.
7
Select the Layout tab and choose the Azure Active Directory information to include.
3
Click New to enable the Search Properties tabs across the bottom of the Searches page.
5
On the What tab, expand Add and click Subsystem | Azure Active Directory.
NOTE: You can use Add with Events | Subsystem | Azure Active Directory to select an existing event from the database and use its properties as a filter for a new search.
6
Select Selected Events to configure the search.
Select the Category filter to specify the event category to include in the search. Select a comparison operator (Like or Not like) and enter a category name. For example, if you are interested only in activities related to self-service password resets, you would choose the “Self-service Password Management” category.
Select the Activity Type filter to specify the activity to include in the search. Select a comparison operator (Like or Not like) and enter an activity type. For example, to only show user related activities you would select “User” as the activity type.
Select the Activity Name filter to specify the activity to include in the search. (For sign-in risk events, this will show the detected activity that occurred on the risk event.) Select a comparison operator (Like or Not like) and enter an activity name (character string and the * wildcard character). For example: Like *delete* will search for events where Activity contains ‘delete’. For a list of all available activities, see the Microsoft article “Audit activity reports in the Azure Active Directory portal”.
Select the Activity Details filter to include activity details in the search. (For sign-in risk events use the status of the risk event, such as Resolved). Select a comparison operator (Like or Not like) and enter a full or partial string (character string and the * wildcard character). For example, the 'Self-serve password reset flow activity progress' activity provides several different details including: User started the mobile SMS verification option, User started the e-mail verification option, or User successfully reset password. You can leave this filter blank to return events for all activities or narrow the search based on the activity details.
Select the Target filter to specify the target (primary and secondary targets) to include in the search. (For sign-in risk events, the field searches for the risk event type such as Sign-in from anonymous IP address). Select a comparison operator (Like or Not like) and enter a full or partial name (character string and the * wildcard character). The Target filter searches across the following properties: Object Name (Cloud Target Name), Target Display Name, On-Premises Target, Subject Name, Subject Display Name, and On-Premises Subject.
Select the Location filter to specify the country, state, or city to include in the search. Select a comparison operator (Like or Not like) and enter a full or partial name (character string and the * wildcard character).
7
Click Add to add the expression to the selection list.
9
Select the Layout tab and choose the Azure Active Directory information to include.
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating