在审核日志中搜索电子数据展示活动Search for eDiscovery activities in the audit log

在安全 & 合规中心或通过运行相应的 PowerShell cmdlet 执行的核心电子数据展示和高级电子数据展示) 的内容搜索和与电子数据展示相关的活动 (记录在 审核日志 中。Content Search and eDiscovery-related activities (for Core eDiscovery and Advanced eDiscovery) that are performed in Security & Compliance Center or by running the corresponding PowerShell cmdlets are logged in the audit log. 当管理员或电子数据展示管理员 (或分配有电子数据展示权限的任何用户) 在安全与合规中心内执行以下内容搜索和核心电子数据展示任务时,将 &记录事件:Events are logged when administrators or eDiscovery managers (or any user assigned eDiscovery permissions) perform the following Content Search and Core eDiscovery tasks in the Security & Compliance Center:

  • 创建和管理核心和高级电子数据展示事例Creating and managing Core and Advanced eDiscovery cases

  • 创建、启动和编辑“内容搜索”Creating, starting, and editing Content Searches

  • 执行“内容搜索”操作,如预览、导出和删除搜索结果Performing Content Search actions, such as previewing, exporting, and deleting search results

  • 在高级电子数据展示中管理保管人和审阅集Managing custodians and review sets in Advanced eDiscovery

  • 为“内容搜索”配置权限筛选Configuring permissions filtering for Content Search

  • 管理电子数据展示管理员角色Managing the eDiscovery Administrator role

重要

本文中介绍的活动只是使用安全与合规中心执行电子数据展示&的结果。The activities described in this article are only the result of eDiscovery tasks performed by using the Security & Compliance Center. 不包括使用 Exchange Online 中的 In-Place 电子数据展示工具或 SharePoint Online 中的电子数据展示中心执行电子数据展示任务。eDiscovery tasks that were performed by using the In-Place eDiscovery tool in Exchange Online or the eDiscovery Center in SharePoint Online aren't included.

有关搜索搜索审核日志所需的权限以及导出搜索结果的信息,请参阅Sing the 审核日志 in the Security & Compliance Center。For more information about searching the audit log, the permissions that are required, and exporting search results, see Search the audit log in the Security & Compliance Center.

如何搜索和查看电子数据展示活动How to search for and view eDiscovery activities

目前,您必须执行一些特定操作来查看电子数据展示审核日志。Currently, you have to do a few specific things to view eDiscovery activities in the audit log. 方法如下:Here's how.

  1. 转到 https://protection.office.comGo to https://protection.office.com.

  2. 使用工作或学校帐户进行登录。Sign in using your work or school account.

  3. 在左窗格中,单击"搜索", 然后单击"审核日志搜索"。In the left pane, click Search, and then click Audit log search.

  4. "活动 "下拉列表中的" 电子数据 展示活动"或" 高级电子数据 展示活动"下,单击要搜索的一个或多个活动。In the Activities drop-down list, under eDiscovery activities or Advanced eDiscovery activities, click one or more activities to search for.

    备注

    " 活动 "下拉列表还包括一组名为 "电子数据展示 cmdlet 活动"的活动,这些活动将返回 cmdlet 审核日志。The Activities drop-down list also includes a group of activities named eDiscovery cmdlet activities that will return records from the cmdlet audit log.

  5. 选择日期和时间范围以显示该时段内发生的电子数据展示事件。Select a date and time range to display eDiscovery events that occurred within that period.

  6. 在" 用户 "框中,选择要显示其搜索结果的一个或多个用户。In the Users box, select one or more users to display search results for. 将此框留空可返回所有用户的条目。Leave this box blank to return entries for all users.

  7. 单击“搜索”以使用搜索条件运行搜索。Click Search to run the search using your search criteria.

  8. 显示搜索结果后,可以单击"筛选 结果 "以筛选或排序生成的活动记录。After the search results are displayed, you can click Filter results to filter or sort the resulting activity records. 遗憾的是,你无法使用筛选明确排除某些活动。Unfortunately, you can't use filtering to explicitly exclude certain activities.

  9. 若要查看有关活动的详细信息,请单击搜索结果列表中的活动记录。To view details about an activity, click the activity record in the list of search results.

    将显示 " 详细信息"飞出页面,其中包含事件记录的详细属性。A Details fly out page is displayed that contains the detailed properties from the event record. 若要显示其他详细信息,请单击 "详细信息"。To display additional details, click More information. 有关这些属性的说明,请参阅电子数据 展示活动的详细属性部分For a description of these properties, see the Detailed properties for eDiscovery activities section.

  10. 如果需要,可以将搜索审核日志导出到 CSV 文件,然后使用 Excel Power Query 功能格式化和筛选这些记录。If desired, you can export the audit log search results to a CSV file, and then use the Excel Power Query feature to format and filter these records. 有关详细信息,请参阅导出、配置和查看审核日志记录For more information, see Export, configure, and view audit log records.

电子数据展示活动eDiscovery activities

下表介绍了管理员或电子数据展示管理员使用安全 & 合规中心执行电子数据展示相关活动或在安全 & 合规中心 PowerShell 中运行相应 cmdlet 时记录的内容搜索和核心电子数据展示活动。The following table describes the Content Search and Core eDiscovery activities that are logged when an administrator or eDiscovery manager performs an eDiscovery-related activity using the Security & Compliance Center or running the corresponding cmdlet in Security & Compliance Center PowerShell. 另请注意,在搜索此列表中的活动时,将返回在 Advanced 中执行某些活动。Note also that some activities performed in Advanced will be returned when you search for activities in this list.

备注

本节中介绍的电子数据展示活动提供的信息与下一节中描述的电子数据展示 cmdlet 活动相似。The eDiscovery activities described in this section provide similar information to the eDiscovery cmdlet activities described in the next section. 建议您使用本节中描述的电子数据展示活动,因为它们将在 30 分钟内审核日志搜索结果中显示。We recommend that you use the eDiscovery activities described in this section because they will appear in the audit log search results within 30 minutes. 电子数据展示 cmdlet 活动最多需要 24 小时才能显示在审核日志搜索结果中。It takes up to 24 hours for the eDiscovery cmdlet activities to appear in audit log search results.

友好名称Friendly name 操作Operation 相应的 cmdletCorresponding cmdlet 说明Description
向电子数据展示案例添加了成员Added member to eDiscovery case
CaseMemberAddedCaseMemberAdded
Add-ComplianceCaseMemberAdd-ComplianceCaseMember
用户已添加为电子数据展示案例的成员。A user was added as a member of an eDiscovery case. 作为案例的成员,用户可以执行各种与案例相关的任务,具体取决于是否已为其分配必要的权限。As a member of a case, a user can perform various case-related tasks depending on whether they have been assigned the necessary permissions.
已更改内容搜索Changed content search
SearchUpdatedSearchUpdated
Set-ComplianceSearchSet-ComplianceSearch
已更改现有内容搜索。An existing content search was changed. 更改可能包括添加或删除内容位置或编辑搜索查询。Changes can include adding or removing content locations or editing the search query.
更改了电子数据展示管理员成员身份Changed eDiscovery administrator membership
CaseAdminUpdatedCaseAdminUpdated
Update-eDiscoveryCaseAdminUpdate-eDiscoveryCaseAdmin
您组织中电子数据展示管理员的列表已更改。The list of eDiscovery Administrators in your organization was changed. 当电子数据展示管理员列表替换为一组新用户时,将记录此活动。This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. 如果添加或删除单个用户,将记录 CaseAdminAdded 操作。If a single user is added or removed, the CaseAdminAdded operation is logged.
更改了电子数据展示案例Changed eDiscovery case
CaseUpdatedCaseUpdated
Set-ComplianceCaseSet-ComplianceCase
电子数据展示案例已更改。An eDiscovery case was changed. 更改包括关闭打开的案例或重新打开已关闭的案例。Changes include closing an open case or reopening a closed case.
更改了电子数据展示案例成员身份Changed eDiscovery case membership
CaseMemberUpdatedCaseMemberUpdated
Update-ComplianceCaseMemberUpdate-ComplianceCaseMember
更改了电子数据展示案例的成员身份列表。The membership list of an eDiscovery case was changed. 当所有成员替换为一组新用户时,将记录此活动。This activity is logged when all members are replaced with a group of new users. 如果添加或删除单个成员,将记录 CaseMemberAdded 或 CaseMemberRemoved 操作。If a single member is added or removed, CaseMemberAdded or CaseMemberRemoved operation is logged.
已更改搜索权限筛选器Changed search permissions filter
SearchPermissionUpdatedSearchPermissionUpdated
Set-ComplianceSecurityFilterSet-ComplianceSecurityFilter
已更改搜索权限筛选器。A search permissions filter was changed.
更改了电子数据展示案例保留的搜索查询Changed search query for eDiscovery case hold
HoldUpdatedHoldUpdated
Set-CaseHoldRuleSet-CaseHoldRule
已更改与电子数据展示案例关联的基于查询的保留。A query-based hold associated with an eDiscovery case was changed. 可能的更改包括编辑基于查询的保留的查询或日期范围。Possible changes include editing the query or date range for a query-based hold.
下载的内容搜索预览项Content search preview item downloaded
PreviewItemDownloadedPreviewItemDownloaded
不适用N/A
用户通过单击预览搜索结果时 (下载原始项目) 下载项目到其本地计算机。A user downloaded an item to their local computer (by clicking the Download original item link) when previewing search results.
列出的内容搜索预览项Content search preview item listed
PreviewItemListedPreviewItemListed
不适用N/A
用户单击" 预览搜索结果 "可显示预览搜索结果页面,其中最多列出内容搜索结果中的 1000 个项目。A user clicked Preview search results to display the preview search results page, which lists up to 1000 items from the results of a Content Search.
查看的内容搜索预览项Content search preview item viewed
PreviewItemRenderedPreviewItemRendered
不适用N/A
电子数据展示管理员在预览搜索结果时通过单击某个项目来查看该项目。An eDiscovery manager viewed an item by clicking it when previewing search results.
已创建内容搜索Created content search
SearchCreatedSearchCreated
New-ComplianceSearchNew-ComplianceSearch
已创建一个新的内容搜索。A new content search was created.
已创建电子数据展示管理员Created eDiscovery administrator
CaseAdminAddedCaseAdminAdded
Add-eDiscoveryCaseAdminAdd-eDiscoveryCaseAdmin
用户已添加为组织中电子数据展示管理员。A user was added as an eDiscovery Administrator in the organization.
已创建电子数据展示案例Created eDiscovery case
CaseAddedCaseAdded
New-ComplianceCaseNew-ComplianceCase
已创建电子数据展示案例。An eDiscovery case was created. 创建案例时,只需为案例命名。When a case is created, you only have to give it a name. 其他与案例相关的任务(如添加成员、创建保留和创建与案例关联的内容搜索)将导致记录其他事件。Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.
已创建的搜索权限筛选器Created search permissions filter
SearchPermissionCreatedSearchPermissionCreated
New-ComplianceSecurityFilterNew-ComplianceSecurityFilter
已创建搜索权限筛选器。A search permissions filter was created.
为电子数据展示案例保留创建了搜索查询Created search query for eDiscovery case hold
HoldCreatedHoldCreated
New-CaseHoldRuleNew-CaseHoldRule
已创建与电子数据展示案例关联的基于查询的保留。A query-based hold associated with an eDiscovery case was created.
已删除的内容搜索Deleted content search
SearchRemovedSearchRemoved
Remove-ComplianceSearchRemove-ComplianceSearch
已删除现有内容搜索。An existing content search was deleted.
已删除电子数据展示管理员Deleted eDiscovery administrator
CaseAdminRemovedCaseAdminRemoved
Remove-eDiscoveryCaseAdminRemove-eDiscoveryCaseAdmin
从组织中删除了电子数据展示管理员。An eDiscovery Administrator was deleted from your organization.
已删除电子数据展示案例Deleted eDiscovery case
CaseRemovedCaseRemoved
Remove-ComplianceCaseRemove-ComplianceCase
已删除电子数据展示案例。An eDiscovery case was deleted. 必须删除与案例关联的任何保留,然后才能删除该案例。Any hold associated with the case has to be removed before the case can be deleted.
已删除搜索权限筛选器Deleted search permissions filter
SearchPermissionRemovedSearchPermissionRemoved
Remove-ComplianceSecurityFilterRemove-ComplianceSecurityFilter
已删除搜索权限筛选器。A search permissions filter was deleted.
已删除电子数据展示案例保留的搜索查询Deleted search query for eDiscovery case hold
HoldRemovedHoldRemoved
Remove-CaseHoldRuleRemove-CaseHoldRule
已删除与电子数据展示案例关联的基于查询的保留。A query-based hold associated with an eDiscovery case was deleted. 从保留中删除查询通常是删除保留的结果。Removing the query from the hold is often the result of deleting a hold. 删除保留或保留查询时,将释放保留的内容位置。When a hold or a hold query is deleted, the content locations that were on hold are released.
下载的内容搜索导出Downloaded export of content search
SearchExportDownloadedSearchExportDownloaded
不适用N/A
用户将内容搜索的结果下载到其本地计算机。A user downloaded the results of a content search to their local computer. 内容 搜索活动的 "开始"导出必须启动,然后才能下载搜索结果。A Started export of content search activity has to be initiated before search results can be downloaded.
内容搜索的预览结果Previewed results of content search
SearchPreviewedSearchPreviewed
不适用N/A
用户预览了内容搜索结果。A user previewed the results of a content search.
内容搜索的清除结果Purged results of content search
SearchResultsPurgedSearchResultsPurged
New-ComplianceSearchActionNew-ComplianceSearchAction
用户通过运行 New-ComplianceSearchAction -Purge 命令清除了内容搜索的结果。A user purged the results of a Content Search by running the New-ComplianceSearchAction -Purge command.
删除了内容搜索分析Removed analysis of content search
RemovedSearchResultsSentToZoomRemovedSearchResultsSentToZoom
Remove-ComplianceSearchActionRemove-ComplianceSearchAction
内容搜索准备操作 (为已删除的高级电子数据展示) 搜索结果。A content search prepare action (to prepare search results for Advanced eDiscovery) was deleted. 如果准备操作不到两周,为高级电子数据展示准备的搜索结果将从 Microsoft Azure 存储区域中删除。If the preparation action was less than two weeks old, the search results that were prepared for Advanced eDiscovery were deleted from the Microsoft Azure storage area. 如果准备操作超过 2 周,则此事件指示仅删除了相应的准备操作。If the preparation action was older than 2 weeks, then this event indicates that only the corresponding preparation action was deleted.
删除了内容搜索的导出Removed export of content search
RemovedSearchExportedRemovedSearchExported
Remove-ComplianceSearchActionRemove-ComplianceSearchAction
已删除内容搜索导出操作。A content search export action was deleted. 如果导出操作少于两周,则上载到 Microsoft Azure 存储区域中的搜索结果将被删除。If the export action was less than two weeks old, the search results that were uploaded to the Microsoft Azure storage area were deleted. 如果导出操作超过 2 周,则此事件指示仅删除了相应的导出操作。If the export action was older than 2 weeks, then this event indicates that only the corresponding export action was deleted.
从电子数据展示案例中删除成员Removed member from eDiscovery case
CaseMemberRemovedCaseMemberRemoved
Remove-ComplianceCaseMemberRemove-ComplianceCaseMember
已删除用户作为电子数据展示案例的成员。A user was removed as a member of an eDiscovery case.
删除了内容搜索的预览结果Removed preview results of content search
RemovedSearchPreviewedRemovedSearchPreviewed
Remove-ComplianceSearchActionRemove-ComplianceSearchAction
已删除内容搜索预览操作。A content search preview action was deleted.
删除了对内容搜索执行的清除操作Removed purge action performed on content search
RemovedSearchResultsPurgedRemovedSearchResultsPurged
Remove-ComplianceSearchActionRemove-ComplianceSearchAction
已删除内容搜索清除操作。A content search purge action was deleted.
已删除搜索报告Removed search report
SearchReportRemovedSearchReportRemoved
Remove-ComplianceSearchActionRemove-ComplianceSearchAction
已删除内容搜索导出报告操作。A content search export report action was deleted.
内容搜索的开始分析Started analysis of content search
SearchResultsSentToZoomSearchResultsSentToZoom
New-ComplianceSearchActionNew-ComplianceSearchAction
内容搜索结果已准备在高级电子数据展示中进行分析。The results of a content search were prepared for analysis in Advanced eDiscovery.
已启动内容搜索Started content search
SearchStartedSearchStarted
Start-ComplianceSearchStart-ComplianceSearch
内容搜索已启动。A content search was started. 使用安全与合规中心 GUI 创建或更改内容&时,将自动启动搜索。When you create or change a content search by using the Security & Compliance Center GUI, the search is automatically started. 如果使用 New-ComplianceSearchSet-ComplianceSearch cmdlet 创建或更改搜索,您必须运行 Start-ComplianceSearch cmdlet 以启动搜索。If you create or change a search by using the New-ComplianceSearch or Set-ComplianceSearch cmdlet, you have to run the Start-ComplianceSearch cmdlet to start the search.
开始导出内容搜索Started export of content search
SearchExportedSearchExported
New-ComplianceSearchActionNew-ComplianceSearchAction
用户导出了内容搜索的结果。A user exported the results of a content search.
已启动导出报告Started export report
SearchReportSearchReport
New-ComplianceSearchActionNew-ComplianceSearchAction
用户导出了内容搜索报告。A user exported a content search report.
已停止内容搜索Stopped content search
SearchStoppedSearchStopped
Stop-ComplianceSearchStop-ComplianceSearch
用户已停止内容搜索。A user stopped a content search.
(无)(none) CaseViewedCaseViewed Get-ComplianceCaseGet-ComplianceCase 用户在安全与合规中心的" 电子 数据展示"页面上或通过运行 cmdlet 查看了事例列表。A user viewed the list of cases on the eDiscovery page in the security and compliance center or by running the cmdlet.
(无)(none) SearchViewedSearchViewed Get-ComplianceSearchGet-ComplianceSearch 用户通过运行 cmdlet (安全与合规) 搜索选项卡上列出的内容搜索列表。A user viewed the list on content searches (listed on the Searches tab) in the security and compliance center or by running the cmdlet. 当用户通过单击案例) 中的"搜索"选项卡或运行 Get-ComplianceSearch -Case 命令查看与电子数据展示案例 (关联的内容搜索列表时,也会记录此活动。This activity is also logged when a user views the list of content searches associated with an eDiscovery case (by clicking the Searches tab in a case) or by running the Get-ComplianceSearch -Case command.
(无)(none) ViewedSearchExportedViewedSearchExported Get-ComplianceSearchAction -ExportGet-ComplianceSearchAction -Export 用户查看了内容搜索导出作业列表 (安全与合规中心的"导出"选项卡) 或运行 cmdlet 列出。A user viewed the list of content search export jobs (listed on the Exports tab) in the security and compliance center or by running the cmdlet. 当用户在电子数据展示案例 (中查看导出作业列表(在案例) 中列出)或运行 Get-ComplianceSearchAction -Case -Export 命令时,也会记录此活动。 This activity is also logged when a user views the list of export jobs in an eDiscovery case (listed on the Exports tab in a case) or by running the Get-ComplianceSearchAction -Case -Export command.
(无)(none) ViewedSearchPreviewedViewedSearchPreviewed Get-ComplianceSearchAction -PreviewGet-ComplianceSearchAction -Preview 用户通过运行 cmdlet 在安全与合规中心预览内容搜索结果。A user previews the results of a content search in the security and compliance center or by running the cmdlet.

高级电子数据展示活动Advanced eDiscovery activities

下表介绍了记录在数据展示中的高级电子数据审核日志。The following table describes the Advanced eDiscovery activities logged in the audit log. 除了 (电子数据展示活动外,这些活动还可用于帮助你跟踪高级电子数据展示案例中的活动进度。These activities (in addition to relevant eDiscovery activities can be used to help you track the progression of activity in an Advanced eDiscovery case.

友好名称Friendly name 操作Operation 说明Description
已将数据添加到另一审阅集Added data to another review set AddWorkingSetQueryToWorkingSetAddWorkingSetQueryToWorkingSet 用户已将文档从一个审阅集添加到另一审阅集。User added documents from one review set to a different review set.
已将数据添加到审阅集Added data to review set AddQueryToWorkingSetAddQueryToWorkingSet 用户已将与高级电子数据展示案例相关联的内容搜索的搜索结果添加到审阅集。User added the search results from a content search associated with an Advanced eDiscovery case to a review set.
已将非 Microsoft 365 数据添加到审阅集Added non-Microsoft 365 data to review set AddNonOffice365DataToWorkingSetAddNonOffice365DataToWorkingSet 用户已将非 Microsoft 365 数据添加到审阅集。User added non-Microsoft 365 data to a review set.
已将修正的文档添加到审阅集Added remediated documents to review set AddRemediatedDataAddRemediatedData 用户上传了文档,这些文档具有已在审阅集中修复的索引错误。User uploads documents that had indexing errors that were fixed to a review set.
已分析审阅集中的数据Analyzed data in review set RunAlgoRunAlgo 用户已对审阅集中的文档运行分析。User ran analytics on the documents in a review set.
已批注审阅集中的文档Annotated document in review set AnnotateDocumentAnnotateDocument 用户已批注审阅集中的文档。User annotated a document in a review set. 批注包含文档中的编修内容。Annotation includes redacting content in a document.
已比较加载集Compared load sets LoadComparisonJobLoadComparisonJob 用户已对审阅集中的两个不同加载集进行比较。User compared two different load sets in a review set. 将与案例关联的内容搜索中的数据添加到审阅集时需要使用加载集。A load set is when data from a content search that associated with the case is added to a review set.
已将编修文档转换为 PDFConverted redacted documents to PDF BurnJobBurnJob 用户已将审阅集中的所有编修文档转换为 PDF 文件。User converted all the redacted documents in a review set to PDF files.
已创建审阅集Created review set CreateWorkingSetCreateWorkingSet 用户已创建审阅集。User created a review set.
已创建审阅集搜索Created review set search CreateWorkingSetSearchCreateWorkingSetSearch 用户已创建用于在审阅集中搜索文档的搜索查询。User created a search query that searches the documents in a review set.
已创建标记Created tag CreateTagCreateTag 用户已在审阅集中创建标记组。User created a tag group in a review set. 标记组可以包含一个或多个子标记。A tag group can contain one or more child tags. 这些标记随后用于标记审阅集中的文档。These tags are then used to tag documents in the review set.
已删除审阅集搜索Deleted review set search DeleteWorkingSetSearchDeleteWorkingSetSearch 用户已删除审阅集中的搜索查询。User deleted a search query in a review set.
已删除标记Deleted tag DeleteTagDeleteTag 用户已删除审阅集中的标记或标记组。User deleted a tag or a tag group in a review set.
已下载文档Downloaded document DownloadDocumentDownloadDocument 用户从审阅集下载了文档。User downloaded a document from a review set.
已编辑标记Edited tag UpdateTagUpdateTag 用户已更改审阅集中的标记。User changed a tag in a review set.
已从审阅集导出文档Exported documents from review set ExportJobExportJob 用户已从审阅集导出文档。User exported documents from a review set.
已修改案例设置Modified case setting UpdateCaseSettingsUpdateCaseSettings 用户已修改案例设置。User modified the settings for a case. 案例设置包括控制搜索和分析行为的案例信息、访问权限和设置。Case settings include case information, access permissions, and settings that control search and analytics behavior.
已修改审阅集搜索Modified review set search UpdateWorkingSetSearchUpdateWorkingSetSearch 用户已编辑审阅集中的搜索查询。User edited a search query in a review set.
已预览审阅集搜索Previewed review set search PreviewWorkingSetSearchPreviewWorkingSetSearch 用户已预览审阅集中的搜索查询结果。User previewed the results of a search query in a review set.
已修正错误文档Remediated error documents ErrorRemediationJobErrorRemediationJob 用户修复了包含索引错误的文件。User fixes files that contained indexing errors.
已标记文档Tagged document TagFilesTagFiles 用户标记审阅集中的文档。User tags a document in a review set.
已标记查询结果Tagged results of a query TagJobTagJob 用户标记与审阅集中的搜索查询条件相匹配的所有文档。User tags all of the documents that match the criteria of search query in a review set.
已查看审阅集中的文档Viewed document in review set ViewDocumentViewDocument 用户已查看审阅集中的文档。User viewed a document in a review set.

电子数据展示 cmdlet 活动eDiscovery cmdlet activities

下表列出了管理员或用户通过使用安全 & 合规中心或在连接到组织的安全 & 合规中心的远程 PowerShell 中运行相应的 cmdlet 执行电子数据展示相关活动时记录的 cmdlet 审核日志 记录。The following table lists the cmdlet audit log records that are logged when an administrator or user performs an eDiscovery-related activity by using the Security & Compliance Center or by running the corresponding cmdlet in remote PowerShell that's connected to your organization's Security & Compliance Center. 对于此表中列出的 cmdlet 活动和上一节中描述的电子数据展示活动,审核日志记录中的详细信息有所不同。The detailed information in the audit log record is different for the cmdlet activities listed in this table and the eDiscovery activities described in the previous section.

如前所述,电子数据展示 cmdlet 活动最多需要 24 小时才能显示在审核日志搜索结果中。As previously stated, it takes up to 24 hours for eDiscovery cmdlet activities to appear in the audit log search results.

提示

下表中"操作"列中的cmdlet 链接到 TechNet 上的相应 cmdlet 帮助主题。The cmdlets in the Operation column in the following table are linked to the corresponding cmdlet help topic on TechNet. 转到 cmdlet 帮助主题,了解每个 cmdlet 的可用参数的说明。Go to the cmdlet help topic for a description of the available parameters for each cmdlet. 与 cmdlet 一起使用的参数和参数值包含在记录的每个审核日志电子数据展示 cmdlet 活动的 审核日志 条目中。The parameter and the parameter value that were used with a cmdlet are included in the audit log entry for each eDiscovery cmdlet activity that's logged.

友好名称Friendly name 操作 (cmdlet)Operation (cmdlet) 说明Description
在电子数据展示案例中创建的保留Created hold in eDiscovery case
New-CaseHoldPolicyNew-CaseHoldPolicy
为电子数据展示案例创建了保留。A hold was created for an eDiscovery case. 可以使用或不指定内容源创建保留。A hold can be created with or without specifying a content source. 如果指定了内容源,将在"内容源"条目审核日志标识。If content sources are specified, they'll be identified in the audit log entry.
从电子数据展示案例中删除的保留Deleted hold from eDiscovery case
Remove-CaseHoldPolicyRemove-CaseHoldPolicy
已删除与电子数据展示案例关联的保留。A hold that is associated with an eDiscovery case was deleted. 删除保留会解除保留中所有内容位置。Deleting a hold releases all of the content locations from the hold. 删除保留还会导致删除与保留关联的案例保留规则 (请参阅下面的 Remove-CaseHoldRule) 。Deleting the hold also results in deleting the case hold rules associated with the hold (see Remove-CaseHoldRule below).
更改了电子数据展示案例中的保留Changed hold in eDiscovery case
Set-CaseHoldPolicySet-CaseHoldPolicy
与电子数据展示关联的保留已更改。A hold that is associated with an eDiscovery was changed. 可能的更改包括添加或删除内容位置,或者关闭 (保留) 功能。Possible changes include adding or removing content locations or turning off (disabling) the hold.
为电子数据展示案例保留创建了搜索查询Created search query for eDiscovery case hold
New-CaseHoldRuleNew-CaseHoldRule
已创建与电子数据展示案例关联的基于查询的保留。A query-based hold associated with an eDiscovery case was created.
已删除电子数据展示案例保留的搜索查询Deleted search query for eDiscovery case hold
Remove-CaseHoldRuleRemove-CaseHoldRule
已删除与电子数据展示案例关联的基于查询的保留。A query-based hold associated with an eDiscovery case was deleted. 从保留中删除查询通常是删除保留的结果。Removing the query from the hold is often the result of deleting a hold. 删除保留或保留查询时,将释放保留的内容位置。When a hold or a hold query is deleted, the content locations that were on hold are released.
更改了电子数据展示案例保留的搜索查询Changed search query for eDiscovery case hold
Set-CaseHoldRuleSet-CaseHoldRule
已更改与电子数据展示案例关联的基于查询的保留。A query-based hold associated with an eDiscovery case was changed. 可能的更改包括编辑基于查询的保留的查询或日期范围。Possible changes include editing the query or date range for a query-based hold.
已创建电子数据展示案例Created eDiscovery case
New-ComplianceCaseNew-ComplianceCase
已创建电子数据展示案例。An eDiscovery case was created. 创建案例时,只需为案例命名。When a case is created, you only have to give it a name. 其他与案例相关的任务(如添加成员、创建保留和创建与案例关联的内容搜索)将导致记录其他事件。Other case-related tasks such as adding members, creating holds, and creating content searches associated with the case result in additional events being logged.
已删除电子数据展示案例Deleted eDiscovery case
Remove-ComplianceCaseRemove-ComplianceCase
已删除电子数据展示案例。An eDiscovery case was deleted. 必须删除与案例关联的任何保留,然后才能删除该案例。Any hold associated with the case has to be removed before the case can be deleted.
更改了电子数据展示案例Changed eDiscovery case
Set-ComplianceCaseSet-ComplianceCase
电子数据展示案例已更改。An eDiscovery case was changed. 更改包括关闭打开的案例或重新打开已关闭的案例。Changes include closing an open case or reopening a closed case.
向电子数据展示案例添加了成员Added member to eDiscovery case
Add-ComplianceCaseMemberAdd-ComplianceCaseMember
用户已添加为电子数据展示案例的成员。A user was added as a member of an eDiscovery case. 作为案例的成员,用户可以执行各种与案例相关的任务,具体取决于是否已为其分配必要的权限。As a member of a case, a user can perform various case-related tasks depending on whether they have been assigned the necessary permissions.
从电子数据展示案例中删除成员Removed member from eDiscovery case
Remove-ComplianceCaseMemberRemove-ComplianceCaseMember
已删除用户作为电子数据展示案例的成员。A user was removed as a member of an eDiscovery case.
更改了电子数据展示案例成员身份Changed eDiscovery case membership
Update-ComplianceCaseMemberUpdate-ComplianceCaseMember
更改了电子数据展示案例的成员身份列表。The membership list of an eDiscovery case was changed. 当所有成员替换为一组新用户时,将记录此活动。This activity is logged when all members are replaced with a group of new users. 如果添加或删除单个成员,将记录 Add-ComplianceCaseMemberRemove-ComplianceCaseMember 操作。If a single member is added or removed, the Add-ComplianceCaseMember or Remove-ComplianceCaseMember operation is logged.
已创建内容搜索Created content search
New-ComplianceSearchNew-ComplianceSearch
已创建一个新的内容搜索。A new content search was created.
已删除的内容搜索Deleted content search
Remove-ComplianceSearchRemove-ComplianceSearch
已删除现有内容搜索。An existing content search was deleted.
已更改内容搜索Changed content search
Set-ComplianceSearchSet-ComplianceSearch
已更改现有内容搜索。An existing content search was changed. 更改可能包括添加或删除要搜索的内容位置以及编辑搜索查询。Changes can include adding or removing content locations that are searched and editing the search query.
已启动内容搜索Started content search
Start-ComplianceSearchStart-ComplianceSearch
内容搜索已启动。A content search was started. 使用安全与合规中心 GUI 创建或更改内容&时,将自动启动搜索。When you create or change a content search by using the Security & Compliance Center GUI, the search is automatically started. 如果使用 New-ComplianceSearchSet-ComplianceSearch cmdlet 创建或更改搜索,您必须运行 Start-ComplianceSearch cmdlet 以启动搜索。If you create or change a search by using the New-ComplianceSearch or Set-ComplianceSearch cmdlet, you have to run the Start-ComplianceSearch cmdlet to start the search.
已停止内容搜索Stopped content search
Stop-ComplianceSearchStop-ComplianceSearch
正在运行的内容搜索已停止。A content search that was running was stopped.
创建的内容搜索操作Created content search action
New-ComplianceSearchActionNew-ComplianceSearchAction
已创建内容搜索操作。A content search action was created. 内容搜索操作包括预览搜索结果、导出搜索结果、准备搜索结果以在高级电子数据展示中进行分析,以及永久删除与内容搜索的搜索条件匹配的项目。Content search actions include previewing search results, exporting search results, preparing search results for analysis in Advanced eDiscovery, and permanently deleting items that match the search criteria of a content search.
已删除的内容搜索操作Deleted content search action
Remove-ComplianceSearchActionRemove-ComplianceSearchAction
已删除内容搜索操作。A content search action was deleted.
已创建的搜索权限筛选器Created search permissions filter
New-ComplianceSecurityFilterNew-ComplianceSecurityFilter
已创建搜索权限筛选器。A search permissions filter was created.
已删除搜索权限筛选器Deleted search permissions filter
Remove-ComplianceSecurityFilterRemove-ComplianceSecurityFilter
已删除搜索权限筛选器。A search permissions filter was deleted.
已更改搜索权限筛选器Changed search permissions filter
Set-ComplianceSecurityFilterSet-ComplianceSecurityFilter
已更改搜索权限筛选器。A search permissions filter was changed.
已创建电子数据展示管理员Created eDiscovery administrator
Add-eDiscoveryCaseAdminAdd-eDiscoveryCaseAdmin
用户已添加为组织中电子数据展示管理员。A user was added as an eDiscovery Administrator in your organization.
已删除电子数据展示管理员Deleted eDiscovery administrator
Remove-eDiscoveryCaseAdminRemove-eDiscoveryCaseAdmin
从组织中删除了电子数据展示管理员。An eDiscovery Administrator was deleted from your organization.
更改了电子数据展示管理员成员身份Changed eDiscovery administrator membership
Update-eDiscoveryCaseAdminUpdate-eDiscoveryCaseAdmin
您组织中电子数据展示管理员的列表已更改。The list of eDiscovery Administrators in your organization was changed. 当电子数据展示管理员列表替换为一组新用户时,将记录此活动。This activity is logged when the list of eDiscovery Administrators is replaced with a group of new users. 如果添加或删除单个用户,将记录 Add-eDiscoveryCaseAdminRemove-eDiscoveryCaseAdmin 操作。If a single user is added or removed, the Add-eDiscoveryCaseAdmin or Remove-eDiscoveryCaseAdmin operation is logged.

电子数据展示活动的详细属性Detailed properties for eDiscovery activities

下表介绍了当您单击搜索结果中列出的电子数据展示活动的"详细信息"页上的"详细信息"时包含的属性。The following table describes the properties that are included when you click More information on the Details page for an eDiscovery activity listed in the search results. 导出搜索结果时,CSV 文件中也会包含审核日志属性。These properties are also included in the CSV file when you export the audit log search results. 电子审核日志活动的详细记录不包括下面列出的每个详细属性。An audit log record for an eDiscovery activity won't include every detailed property listed below.

提示

导出搜索结果时,CSV 文件包含一个名为 Detail 的列,其中包含下表中多值属性中描述的详细属性。When you export the search results, the CSV file contains a column named Detail, which contains the detailed properties described in the following table in a multi-value property. 您可以使用 Excel 中的 Power Query 功能将此列拆分为多个列,以便每个属性都有其自己的列。You can use the Power Query feature in Excel to split this column into multiple columns so that each property will have its own column. 这将允许对其中一个或多个属性进行排序和筛选。This will let you sort and filter on one or more of these properties. 有关详细信息,请参阅搜索搜索中的"将搜索结果导出到文件"审核日志。For more information, see the "Export the search results to a file" section in Search the audit log.

属性Property 说明Description
情况Case
已 () 电子数据展示案例的 GUID 的标识。The identity (GUID) of the eDiscovery case that was created, changed, or deleted.
ClientApplicationClientApplication
电子数据展示 cmdlet 活动具有此属性 的 EMC 值。eDiscovery cmdlet activities have a value of EMC for this property. 这表示使用安全与合规中心 GUI 或& PowerShell 中的 cmdlet 执行活动。This indicates the activity was performed by using the Security & Compliance Center GUI or running the cmdlet in PowerShell.
ClientIPClientIP
记录活动时使用的设备的 IP 地址。The IP address of the device that was used when the activity was logged. IP 地址显示为 IPv4 或 IPv6 地址格式。The IP address is displayed in either an IPv4 or IPv6 address format.
ClientRequestIdClientRequestId
对于电子数据展示活动,此属性通常为空。For eDiscovery activities, this property is typically blank.
CmdletVersionCmdletVersion
组织中运行的安全与合规&版本的内部版本号。The build number for the version of the Security & Compliance Center running in your organization.
CreationTimeCreationTime
完成电子数据展示活动后,协调世界时 (UTC) 日期和时间。The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was completed.
EffectiveOrganizationEffectiveOrganization
Microsoft 365 组织的名称。The name of the Microsoft 365 organization.
ExchangeLocationsExchangeLocations
包含在内容搜索中或在电子数据展示案例中置于保留中的 Exchange Online 邮箱。The Exchange Online mailboxes that are included in a content search or placed on hold in an eDiscovery case.
排除项Exclusions
从内容搜索或电子数据展示案例中的保留中排除的邮箱或网站位置。Mailbox or site locations that are excluded from a content search or a hold in an eDiscovery case.
ExtendedPropertiesExtendedProperties
内容搜索、内容搜索操作或电子数据展示案例中的保留的其他属性,例如对象 GUID 以及执行活动时所使用的相应 cmdlet 和 cmdlet 参数。Additional properties from a content search, a content search action, or hold in an eDiscovery case, such as the object GUID and the corresponding cmdlet and cmdlet parameters that were used when the activity was performed.
IdId
报告条目的 ID。The ID of the report entry. ID 唯一标识审核日志条目。The ID uniquely identifies the audit log entry.
NonPIIParametersNonPIIParameters
参数列表,其中 (Operation 属性) cmdlet 使用的任何值。A list of the parameters (without any values) that were used with the cmdlet identified in the Operation property. 此属性中列出的参数与 Parameters 属性中列出的参数相同。The parameters listed in this property are the same as those listed in the Parameters property.
ObjectIdObjectId
对象的 GUID 或名称 (例如内容搜索或电子数据展示) 由 Operation 属性中列出的活动创建、更改或删除。The GUID or name of the object (for example, a Content Search or an eDiscovery case) that was created, changed, or deleted by the activity listed in the Operation property. 此对象还标识在搜索结果的"审核日志列中。This object is also identified in the Item column in the audit log search results.
ObjectTypeObjectType
用户创建、删除或修改的 eDiscovery 对象的类型;例如,内容搜索操作 (预览、导出或清除) 、电子数据展示案例或内容搜索。The type of eDiscovery object that the user created, deleted, or modified; for example, a content search action (preview, export, or purge), an eDiscovery case, or a content search.
OperationOperation
与所执行电子数据展示活动对应的操作的名称。The name of the operation that corresponds to the eDiscovery activity that was performed.
OrganizationIdOrganizationId
Microsoft 365 组织的 GUID。The GUID for your Microsoft 365 organization.
参数Parameters
用于相应 cmdlet 的参数的名称和值。The name and value for the parameters that were used with the corresponding cmdlet.
PublicFolderLocationsPublicFolderLocations
包含在内容搜索中或置于电子数据展示案例中保留的 Exchange Online 中的公用文件夹位置。The public folder locations in Exchange Online that are included in a content search or placed on hold in an eDiscovery case.
查询Query
与活动关联的搜索查询,如内容搜索或基于查询的保留。The search query associated with the activity, such as a content search or a query-based hold.
RecordTypeRecordType
记录指示的操作类型。The type of operation indicated by the record. 18 指示与"电子数据展示 cmdlet 活动"部分中列出的活动相关的事件。The value of 18 indicates an event related to an activity listed in the eDiscovery cmdlet activities section. 24 指示与如何搜索和查看电子数据展示活动部分中列出的活动 相关的 事件。A value of 24 indicates an event related to an activity listed in the How to search for and view eDiscovery activities section.
ResultStatusResultStatus
指示操作(在 Operation 属性中指定)成功还是失败。Indicates whether the action (specified in the Operation property) was successful or not.
SecurityComplianceCenterEventTypeSecurityComplianceCenterEventType
指示活动是安全中心&事件。Indicates that the activity was a Security & Compliance Center event. 对于此属性,所有电子数据展示活动的值为 0。All eDiscovery activities will have a value of 0 for this property.
SharepointLocationsSharepointLocations
包含在内容搜索中或在电子数据展示案例中置于保留中的 SharePoint Online 网站。The SharePoint Online sites that are included in a content search or placed on hold in an eDiscovery case.
StartTimeStartTime
启动电子数据展示活动时 (UTC) 协调世界时表示的日期和时间。The date and time in Coordinated Universal Time (UTC) when the eDiscovery activity was started.
UserIDUserId
执行活动的用户 (Operation 属性) 记录的记录。The user who performed the activity (specified in the Operation property) that resulted in the record being logged. 由系统帐户执行电子数据展示活动 (如 NT AUTHORITY\SYSTEM) 也包含在审核日志。Records for eDiscovery activity performed by system accounts (such as NT AUTHORITY\SYSTEM) are also included in the audit log.
UserKeyUserKey
UserID 属性中标识的用户的备选 ID。An alternative ID for the user identified in the UserId property. 对于电子数据展示活动,此属性的值通常与 UserId 属性相同。For eDiscovery activities, the value for this property is typically the same as the UserId property.
UserServicePlanUserServicePlan
组织使用的订阅。The subscription used by your organization. 对于电子数据展示活动,此属性通常为空。For eDiscovery activities, this property is typically blank.
UserTypeUserType
执行操作的用户类型。The type of user that performed the operation. 以下值指示用户类型。The following values indicate the user type.
0 常规用户。0 A regular user. 2 您组织的管理员。2 An administrator in your organization. 3 Microsoft 数据中心管理员或数据中心系统帐户。3 A Microsoft datacenter administrator or datacenter system account. 4 系统帐户。4 A system account. 5 应用程序。5 An application. 6 服务主体。6 A service principal.
版本Version
指示由记录的 Operation (标识的活动) 版本号。Indicates the version number of the activity (identified by the Operation property) that's logged.
WorkloadWorkload
发生活动的服务。Theservice where the activity occurred. 对于电子数据展示活动,值为 SecurityComplianceCenterFor eDiscovery activities, the value is SecurityComplianceCenter.