Search for eDiscovery activities in the Office 365 audit log

Content Search and eDiscovery-related activities that are performed in Office 365 Security & Compliance Center or by running the corresponding Windows PowerShell cmdlets are logged in the Office 365 audit log. Events are logged when administrators or compliance administrators (or any user that's assigned eDiscovery permissions) perform the following Content Search and eDiscovery-related tasks in the Office 365 Security & Compliance Center:

  • Creating and managing eDiscovery cases

  • Creating, starting, and editing Content Searches

  • Performing Content Search actions, such as previewing, exporting, and deleting search results

  • Configuring permissions filtering for Content Search

  • Managing the eDiscovery Administrator role

Important

The activities described in this article are only the result of eDiscovery tasks performed by using the Security & Compliance Center. eDiscovery tasks that were performed by using the In-Place eDiscovery tool in Exchange Online or the eDiscovery Center in SharePoint Online aren't included.

For more information about searching the Office 365 audit log, the permissions that are required, and exporting search results, see Search the audit log in the Office 365 Security & Compliance Center.

How to search for and view eDiscovery activities

Currently, you have to do a few specific things to view eDiscovery activities in the Office 365 audit log. Here's how.

  1. Go to https://protection.office.com.

  2. Sign in to Office 365 using your work or school account.

  3. In the left pane, click Search & investigation, and then click Audit log search.

  4. In the Activities drop-down list, under eDiscovery activities, click one or more activities to search for. Or you can click eDiscovery activities to search for all eDiscovery-related activities.

    Note

    The Activities drop-down list also includes a group of activities named eDiscovery cmdlet activities that will return records from the cmdlet audit log.

  5. Select a date and time range to display eDiscovery events that occurred within that period.

  6. In the Users box, select one or more users to display search results for. Leave this box blank to return entries for all users.

  7. Click Search to run the search using your search criteria.

  8. After the search results are displayed, you can click Filter results to filter or sort the resulting activity records. Unfortunately, you can't use filtering to explicitly exclude certain activities.

  9. To view details about an activity, click the activity record in the list of search results.

    A Details fly out page is displayed that contains the detailed properties from the event record. To display additional details, click More information. For a description of these properties, see the Detailed properties for eDiscovery activities section.

eDiscovery activities

The following table describes the Content Search and eDiscovery-related activities that are logged when an administrator or user performs an eDiscovery-related activity by using the Security & Compliance Center or by running the corresponding cmdlet in remote PowerShell that's connected to your organization's Security & Compliance Center.

Note

The eDiscovery activities described in this section provide similar information to the eDiscovery cmdlet activities described in the next section. We recommend that you use the eDiscovery activities described in this section because they will appear in the audit log search results within 30 minutes. It takes up to 24 hours for the eDiscovery cmdlet activities to appear in audit log search results.

Friendly name Operation Corresponding cmdlet Description
Added member to eDiscovery case
CaseMemberAdded
Add-ComplianceCaseMember
A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they have been assigned the necessary permissions.
Changed content search
SearchUpdated
Set-ComplianceSearch
An existing content search was changed. Changes can include adding or removing content locations or editing the search query.
Changed eDiscovery administrator membership
CaseAdminUpdated
Update-eDiscoveryCaseAdmin
The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the CaseAdminAdded operation is logged.
Changed eDiscovery case
CaseUpdated
Set-ComplianceCase
An eDiscovery case was changed. Changes include closing an open case or re-opening a closed case.
Changed eDiscovery case membership
CaseMemberUpdated
Update-ComplianceCaseMember
The membership list of an eDiscovery case was changed. This activity is logged when all members are replaced with a group of new users. If a single member is added or removed, CaseMemberAdded or CaseMemberRemoved operation is logged.
Changed search permissions filter
SearchPermissionUpdated
Set-ComplianceSecurityFilter
A search permissions filter was changed.
Changed search query for eDiscovery case hold
HoldUpdated
Set-CaseHoldRule
A query-based hold associated with an eDiscovery case was changed. Possible changes include editing the query or date range for a query-based hold.
Content search preview item downloaded
PreviewItemDownloaded
N/A
A user downloaded an item to their local computer (by clicking the Download original item link) when previewing search results.
Content search preview item listed
PreviewItemListed
N/A
A user clicked Preview search results to display the preview search results page, which lists up to 1000 items from the results of a Content Search.
Content search preview item viewed
PreviewItemRendered
N/A
An eDiscovery manager viewed an item by clicking it when previewing search results.
Created content search
SearchCreated
New-ComplianceSearch
A new content search was created.
Created eDiscovery administrator
CaseAdminAdded
Add-eDiscoveryCaseAdmin
A user was added as an eDiscovery Administrator in the organization.
Created eDiscovery case
CaseAdded
New-ComplianceCase
An eDiscovery case was created. When a case is created, you only have to give it a name. Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.
Created search permissions filter
SearchPermissionCreated
New-ComplianceSecurityFilter
A search permissions filter was created.
Created search query for eDiscovery case hold
HoldCreated
New-CaseHoldRule
A query-based hold associated with an eDiscovery case was created.
Deleted content search
SearchRemoved
Remove-ComplianceSearch
An existing content search was deleted.
Deleted eDiscovery administrator
CaseAdminRemoved
Remove-eDiscoveryCaseAdmin
An eDiscovery Administrator was deleted from your organization.
Deleted eDiscovery case
CaseRemoved
Remove-ComplianceCase
An eDiscovery case was deleted. Note that any hold associated with the case has to be removed before the case can be deleted.
Deleted search permissions filter
SearchPermissionRemoved
Remove-ComplianceSecurityFilter
A search permissions filter was deleted.
Deleted search query for eDiscovery case hold
HoldRemoved
Remove-CaseHoldRule
A query-based hold associated with an eDiscovery case was deleted. Removing the query from the hold is often the result of deleting a hold. When a hold or a hold query are deleted, the content locations that were on hold are released.
Downloaded export of content search
SearchExportDownloaded
N/A
A user downloaded the results of a content search to their local computer. Note that a Started export of content search activity has to be initiated before search results can be downloaded.
Previewed results of content search
SearchPreviewed
N/A
A user previewed the results of a content search.
Purged results of content search
SearchResultsPurged
New-ComplianceSearchAction
A user purged the results of a Content Search by running the New-ComplianceSearchAction -Purge command.
Removed analysis of content search
RemovedSearchResultsSentToZoom
Remove-ComplianceSearchAction
A content search prepare action (to prepare search results for Office 365 Advanced eDiscovery) was deleted. If the preparation action was less than two weeks old, the search results that were prepared for Advanced eDiscovery were deleted from the Microsoft Azure storage area. If the preparation action was older than 2 weeks, then this event indicates that only the corresponding preparation action was deleted.
Removed export of content search
RemovedSearchExported
Remove-ComplianceSearchAction
A content search export action was deleted. If the export action was less than two weeks old, the search results that were uploaded to the Microsoft Azure storage area were deleted. If the export action was older than 2 weeks, then this event indicates that only the corresponding export action was deleted.
Removed member from eDiscovery case
CaseMemberRemoved
Remove-ComplianceCaseMember
A user was removed as a member of an eDiscovery case.
Removed preview results of content search
RemovedSearchPreviewed
Remove-ComplianceSearchAction
A content search preview action was deleted.
Removed purge action performed on content search
RemovedSearchResultsPurged
Remove-ComplianceSearchAction
A content search purge action was deleted.
Removed search report
SearchReportRemoved
Remove-ComplianceSearchAction
A content search export report action was deleted.
Started analysis of content search
SearchResultsSentToZoom
New-ComplianceSearchAction
The results of a content search were prepared for analysis in Advanced eDiscovery.
Started content search
SearchStarted
Start-ComplianceSearch
A content search was started. When you create or change a content search by using the Security & Compliance Center GUI, the search is automatically started. If you create or change a search by using the New-ComplianceSearch or Set-ComplianceSearch cmdlet, you have to run the Start-ComplianceSearch cmdlet to start the search.
Started export of content search
SearchExported
New-ComplianceSearchAction
A user exported the results of a content search.
Started export report
SearchReport
New-ComplianceSearchAction
A user exported a content search report.
Stopped content search
SearchStopped
Stop-ComplianceSearch
A user stopped a content search.

eDiscovery cmdlet activities

The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the Security & Compliance Center or by running the corresponding cmdlet in remote PowerShell that's connected to your organization's Security & Compliance Center. Note that the detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section.

As previously stated, it takes up to 24 hours for eDiscovery cmdlet activities to appear in the audit log search results.

Tip

The cmdlets in the Operation column in the following table are linked to the corresponding cmdlet help topic on TechNet. Go to the cmdlet help topic for a description of the available parameters for each cmdlet. The parameter and the parameter value that were used with a cmdlet are included in the audit log entry for each eDiscovery cmdlet activity that's logged.

Friendly name Operation (cmdlet) Description
Created hold in eDiscovery case
New-CaseHoldPolicy
A hold was created for an eDiscovery case. A hold can be created with or without specifying a content source. If content sources are specified, they'll be identified in the audit log entry.
Deleted hold from eDiscovery case
Remove-CaseHoldPolicy
A hold that is associated with an eDiscovery case was deleted. Deleting a hold releases all of the content locations from the hold. Deleting the hold also results in deleting the case hold rules associated with the hold (see Remove-CaseHoldRule below).
Changed hold in eDiscovery case
Set-CaseHoldPolicy
A hold that is associated with an eDiscovery was changed. Possible changes include adding or removing content locations or turning off (disabling) the hold.
Created search query for eDiscovery case hold
New-CaseHoldRule
A query-based hold associated with an eDiscovery case was created.
Deleted search query for eDiscovery case hold
Remove-CaseHoldRule
A query-based hold associated with an eDiscovery case was deleted. Removing the query from the hold is often the result of deleting a hold. When a hold or a hold query are deleted, the content locations that were on hold are released.
Changed search query for eDiscovery case hold
Set-CaseHoldRule
A query-based hold associated with an eDiscovery case was changed. Possible changes include editing the query or date range for a query-based hold.
Created eDiscovery case
New-ComplianceCase
An eDiscovery case was created. When a case is created, you only have to give it a name. Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.
Deleted eDiscovery case
Remove-ComplianceCase
An eDiscovery case was deleted. Note that any hold associated with the case has to be removed before the case can be deleted.
Changed eDiscovery case
Set-ComplianceCase
An eDiscovery case was changed. Changes include closing an open case or re-opening a closed case.
Added member to eDiscovery case
Add-ComplianceCaseMember
A user was added as a member of an eDiscovery case. As a member of a case, a user can perform various case-related tasks depending on whether they have been assigned the necessary permissions.
Removed member from eDiscovery case
Remove-ComplianceCaseMember
A user was removed as a member of an eDiscovery case.
Changed eDiscovery case membership
Update-ComplianceCaseMember
The membership list of an eDiscovery case was changed. This activity is logged when all members are replaced with a group of new users. If a single member is added or removed, the Add-ComplianceCaseMember or Remove-ComplianceCaseMember operation is logged.
Created content search
New-ComplianceSearch
A new content search was created.
Deleted content search
Remove-ComplianceSearch
An existing content search was deleted.
Changed content search
Set-ComplianceSearch
An existing content search was changed. Changes can include adding or removing content locations that are searched and editing the search query.
Started content search
Start-ComplianceSearch
A content search was started. When you create or change a content search by using the Security & Compliance Center GUI, the search is automatically started. If you create or change a search by using the New-ComplianceSearch or Set-ComplianceSearch cmdlet, you have to run the Start-ComplianceSearch cmdlet to start the search.
Stopped content search
Stop-ComplianceSearch
A content search that was running was stopped.
Created content search action
New-ComplianceSearchAction
A content search action was created. Content search actions include previewing search results, exporting search results, preparing search results for analysis in Office 365 Advanced eDiscovery, and permanently deleting items that match the search criteria of a content search.
Deleted content search action
Remove-ComplianceSearchAction
A content search action was deleted.
Created search permissions filter
New-ComplianceSecurityFilter
A search permissions filter was created.
Deleted search permissions filter
Remove-ComplianceSecurityFilter
A search permissions filter was deleted.
Changed search permissions filter
Set-ComplianceSecurityFilter
A search permissions filter was changed.
Created eDiscovery administrator
Add-eDiscoveryCaseAdmin
A user was added as an eDiscovery Administrator in your organization.
Deleted eDiscovery administrator
Remove-eDiscoveryCaseAdmin
An eDiscovery Administrator was deleted from your organization.
Changed eDiscovery administrator membership
Update-eDiscoveryCaseAdmin
The list of eDiscovery Administrators in your organization was changed. This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. If a single user is added or removed, the Add-eDiscoveryCaseAdmin or Remove-eDiscoveryCaseAdmin operation is logged.

Detailed properties for eDiscovery activities

The following table describes the properties that are included when you click More information on the Details page for an eDiscovery activity listed in the search results. These properties are also included in the CSV file when you export the audit log search results. Note that an audit log record for an eDiscovery activity won't include every detailed property listed below.

Tip

When you export the search results, the CSV file contains a column named Detail, which contains the detailed properties described in the following table in a multi-value property. You can use the Power Query feature in Excel to split this column into multiple columns so that each property will have its own column. This will let you sort and filter on one or more of these properties. For more information, see the "Export the search results to a file" section in Search the audit log in the Office 365 Security & Compliance Center .

Property Description
Case
The identity (GUID) of the eDiscovery case that was created, changed, or deleted.
ClientApplication
eDiscovery cmdlet activities have a value of EMC for this property. This indicates the activity was performed by using the Security & Compliance Center GUI or running the cmdlet in PowerShell.
ClientIP
The IP address of the device that was used when the activity was logged. The IP address is displayed in either an IPv4 or IPv6 address format.
ClientRequestId
For eDiscovery activities, this property is typically blank.
CmdletVersion
The build number for the version of the Security & Compliance Center running in your organization.
CreationTime
The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was completed.
EffectiveOrganization
The name of the your Office 365 organization.
ExchangeLocations
The Exchange Online mailboxes that are included in a content search or placed on hold in an eDiscovery case.
Exclusions
Mailbox or site locations that are excluded from a content search or a hold in an eDiscovery case.
ExtendedProperties
Additional properties from a content search, a content search action, or hold in an eDiscovery case, such as the object GUID and the corresponding cmdlet and cmdlet parameters that were used when the activity was performed.
Id
The ID of the report entry. The ID uniquely identifies the audit log entry.
NonPIIParameters
A list of the parameters (without any values) that were used with the cmdlet identified in the Operation property. The parameters listed in this property are the same as those listed in the Parameters property.
ObjectId
The GUID or name of the object (for example, a Content Search or an eDiscovery case) that was created, changed, or deleted by the activity listed in the Operation property. This object is also identified in the Item column in the audit log search results.
ObjectType
The type of eDiscovery object that the user created, deleted, or modified; for example a content search action (preview, export, or purge), an eDiscovery case, or a content search.
Operation
The name of the operation that corresponds to the eDiscovery activity that was performed.
OrganizationId
The GUID for your Office 365 organization.
Parameters
The name and value for the parameters that were used with the corresponding cmdlet.
PublicFolderLocations
The public folder locations in Exchange Online that are included in a content search or placed on hold in an eDiscovery case.
Query
The search query associated with the activity, such as a content search or a query-based hold.
RecordType
The type of operation indicated by the record. The value of 18 indicates an event related to an activity listed in the eDiscovery cmdlet activities section. A value of 24 indicates an event related to an activity listed in the How to search for and view eDiscovery activities section.
ResultStatus
Indicates whether the action (specified in the Operation property) was successful or not.
SecurityComplianceCenterEventType
Indicates that the activity was a Security & Compliance Center event. All eDiscovery activities will have a value of 0 for this property.
SharepointLocations
The SharePoint Online sites that are included in a content search or placed on hold in an eDiscovery case.
StartTime
The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was started.
UserId
The user who performed the activity (specified in the Operation property) that resulted in the record being logged. Note that records for eDiscovery activity performed by system accounts (such as NT AUTHORITY\SYSTEM) are also included in the audit log.
UserKey
An alternative ID for the user identified in the UserId property. For eDiscovery activities, the value for this property is typically the same as the UserId property.
UserServicePlan
The Office 365 subscription used by your organization. For eDiscovery activities, this property is typically blank.
UserType
The type of user that performed the operation. The following values indicate the user type.
0 A regular user. 2 An administrator in your Office 365 organization. 3 A Microsoft datacenter administrator or datacenter system account. 4 A system account. 5 An application. 6 A service principal.
Version
Indicates the version number of the activity (identified by the Operation property) that's logged.
Workload
The Office 365 service where the activity occurred. For eDiscovery activities, the value is SecurityComplianceCenter.