Audit: overview

  • Last update on September 26th, 2024

The Audit section is only available as an add-on. Please contact your CSM to learn more.

 

Audit reports act as an exhaustive repository of Audit data, chronicling user activities across a range of platforms such as SharePoint, Exchange, Threat Intelligence, Entra ID, Teams, Power BI, OneDrive, Active Directory, and CoreView. The Audit data is downloaded from the Microsoft unified log.

This functionality becomes available once you agree to Microsoft API sharing during your subscription activation. The collection of Audit information commences from the day of subscription activation.

The different Audit reports include:

Microsoft 365

The “Audit activities” for Microsoft 365 section offers a comprehensive report of all activities from the Unified Audit Log within your Microsoft 365 tenant. This report serves as an initial reference, which you can refine based on your specific investigation. For instance, you could generate a report detailing all actions undertaken by a particular user over the previous week. While only a subset of details for each event is displayed initially, you can access additional properties in the workload-specific reports.

 
 

Exchange

In the Exchange section, you will find comprehensive reports on Audited activities, admin and non-owner mailbox activities, Data Loss Prevention (DLP) actions, “Send As” or “Send on Behalf” activities, and changes to mailbox rights within your Microsoft 365 tenant.

 
 

SharePoint

In the SharePoint section, you will find detailed reports on various activities within your Microsoft 365 tenant. These include Audited SharePoint Online activities, external and anonymous invitations, activities performed by external users, Site Collection administrator changes, sharing operations, and Site permission changes. Each category provides a curated view, with additional details available upon selecting the corresponding columns.

 
 

OneDrive

In the OneDrive section, you will find comprehensive reports on OneDrive for Business activities within your Microsoft 365 tenant. These include Audited activities, external and anonymous invitations, activities performed by external users, Site Collection provisioning, Data Loss Prevention (DLP) activities, sharing operations, and Site permission changes. Each category offers a curated view, with the option to display additional details by selecting the corresponding columns.

 
 

Threat intelligence

The threat intelligence activities report a report of all Threat Intelligence Audited activities within your Microsoft 365 tenant.

 
 

Teams

In the Teams section, you will find detailed reports on all Microsoft Teams activities within your Microsoft 365 tenant. These include Audited activities, channel operations, membership operations, team management operations, external and anonymous invitations, activities performed by external users, Site Collection administrator changes, Data Loss Prevention (DLP) activities, sharing operations, and Site permission changes. Each category provides a curated view, with the option to display additional details by selecting the corresponding columns.

 
 

Power BI

 The Power BI activities report provides a report of all Power BI Audited activities within your Microsoft 365 tenant.

 
 

Security and compliance activities

Here you are provided with a report of all Microsoft Purview and Microsoft Defender Audited activities within your Microsoft 365 tenant.

 
 

CRM

The CRM activities page provides a report of all Dynamics CRM Audited activities within your Microsoft 365 tenant.

 
 

Entra ID

In the Entra ID section, you will find comprehensive reports on all Entra ID activities within your Microsoft 365 tenant. These include Audited activities, various sign-in events (overall, admin roles, external users, failed attempts), monthly sign-ins by user and app, risky users, risk detections, and sign-ins from anonymous IPs, infected devices, unfamiliar locations, and using legacy protocols. For certain categories, additional details can be displayed by selecting the corresponding columns, and you have the option to display a map (Sign-in: events, with admin roles, external and failed) enable the anonymous data toggle (Sign-in: events, with admin roles, external and failed, from unfamiliar locations, risk detections and impossible to travel to atypical locations).
You may use this section to:

 
 

PowerApps

In the Power Apps section, you will find detailed reports on all Power Apps activities within your Microsoft 365 tenant. These include Audited activities, creation, launch, and publishing events, as well as permission changes. Each category provides a comprehensive view, with the option to display additional details by selecting the corresponding columns.

 
 

CoreView

The CoreView Audit log is now located in the “Audit log” section under Settings. Here you'll find a record of all activities carried out in CoreView, enabling you to track and oversee the actions of each operator within CoreView.

 
 

Common features for Audit reports include: