工作区分析审核日志Workplace Analytics audit logs

在 Office 365 门户中生成并访问 Office 365 审核日志。The Office 365 audit logs are generated and accessed in the Office 365 portal. 作为 Exchange 管理员,您可以访问这些日志,以审核或跟踪常规用户活动和操作,如查看访问、尝试访问或修改的数据的用户。As an Exchange admin, you can access these logs to audit or track general user activities and actions, such as to see who accessed, tried to access, or modified data.

这些日志包括 "Workplace Analytics" 活动的 "审核" 部分,其中通常包含敏感数据。These logs include an audit section for Workplace Analytics activity, which typically includes sensitive data. 您可以监视和跟踪所有用户操作的组织数据,以确保遵守组织的隐私和安全策略。You can monitor and track your organizational data for all user actions to ensure compliance with your organization's privacy and security policies.

访问要求Access requirements

在可以访问审核日志之前,必须满足以下要求:You must meet the following requirements before you can access the audit logs:

  • 若要访问 Office 365 安全 & 合规性中心的审核部分,您必须具有 Office 365 企业版 E3 和 E5 订阅) 附带的 Exchange Online 许可证 (。To access the auditing section of the Office 365 Security & Compliance Center, you must have an Exchange Online license (included with Office 365 Enterprise E3 and E5 subscriptions).
  • 您必须是全局管理员或具有可提供对审核日志的访问权限的 Exchange 管理员角色。And you must either be a Global admin or have an Exchange admin role that provides access to the audit log. Exchange 管理员角色通过 Exchange 管理中心进行控制。Exchange admin roles are controlled through the Exchange Admin center. 有关详细信息,请参阅 Exchange Online 中的权限For more information, see Permissions in Exchange Online.
  1. 可以通过 Office 365 安全 & 合规性中心提供审核日志。The audit logs are available through the Office 365 Security & Compliance Center. 转到 protection.office.comGo to protection.office.com.
  2. 使用管理员凭据登录到 Office 365。Sign in to Office 365 with your admin credentials.

记录审核日志的活动To record activities for the audit logs

在搜索 Office 365 审核日志之前,您 (或另一个管理员) 必须先启用审核日志记录:Before you can search the Office 365 audit log, you (or another admin) must first turn on audit logging:

  1. 转到 Office 365 门户主页上的 "安全 & 合规性" 部分,然后在左侧导航窗格中展开 "搜索 & 调查"。Go to the Security & Compliance section on the Home page of the Office 365 portal,and then expand Search & Investigation in the left navigation pane.

  2. 选择 " 审核日志搜索",如果可用,请选择 " 开始记录用户和管理员活动"。Select Audit log search, and if available, select Start recording user and admin activities. (如果看不到此链接,则表示已为您的组织启用审核。 ) (If you don't see this link, auditing is already turned on for your organization.)

    开始录制后,会看到 "正在准备审核日志" 消息。After you start recording, you'll see an "audit log is being prepared" message appear. 可能需要几个小时才能在审核日志中搜索录制的活动。It might take a few hours before you can search recorded activities in the audit logs.

查看 Workplace Analytics 活动To view Workplace Analytics activities

  1. 在 Office 365 门户主页上的 "安全 & 合规性部分中,在左侧导航窗格中展开"搜索 & 调查",然后选择"审核日志搜索"。In the Security & Compliance section on the Home page of the Office 365 portal, expand Search & Investigation in the left navigation pane, and then select Audit log search.

    审核日志搜索

  2. 在 "审核日志搜索" 页的 "搜索" 部分,选择 "显示所有活动的结果"。In the Search section of the Audit log search page, select to Show results for all activities.

  3. 在 " 开始日期 " 部分,选择一个日期范围。In the Start date section, select a date range.

    • 若要使用90天的最大日期范围,请选择 "开始日期" 的当前日期和时间。To use the maximum date range of 90 days, select the current date and time for the start date. 否则,将发生有关早于结束日期的开始日期的错误。Otherwise, an error occurs about the start date being earlier than the end date.
    • 如果在最近90天内启用了审核,则在启用审核之前无法启动日期范围。If you turned auditing on in the last 90 days, the date range can't start before auditing was turned on.
  4. 若要返回所有用户 (和服务帐户) 的活动,请将 " 用户 " 字段留空。To return activities for all users (and service accounts), leave the Users field blank. 或者,可以在 " 用户 " 字段中输入一个或多个用户名 (用于登录到 Workplace Analytics 的帐户电子邮件) 仅查看这些用户活动。Or you can enter one or more user names (the account email they use to log in to Workplace Analytics) in the Users field to only see those user activities.

    审核日志用户

  5. 在 " 搜索 " 字段中,输入 Microsoft Workplace Analytics 活动,然后选择 " 搜索"。In the Search field, enter Microsoft Workplace Analytics Activities, and then select Search. 下面是示例活动的列表。The following is a list of example activities.

    审核日志活动

  6. "审核日志搜索" 页面的 "结果" 部分显示最大值为5000的最近事件,以150为增量。The Results section of the Audit log search page shows a maximum of 5,000 of the most recent events, in increments of 150. 使用此部分中的滚动条显示接下来的150事件。Use the scroll bar in this section to show the next 150 events. 此部分列出了审核日志事件,其中包括以下信息。This section lists the audit log events, including the following information. 您可以选择一个列标题以按其对列表进行排序。You can select a column header to sort the list by it.

    Column 定义Definition
    DateDate 在事件发生时) 的日期和时间 (UTC 格式。The date and time (in UTC format) when the event occurred.
    IP 地址IP address 记录来自设备的活动时使用的 IP 地址。The IP address that was used when the activity from a device was logged. IP 地址以 IPv4 或 IPv6 地址格式显示。The IP address is shown in IPv4 or IPv6 address format.
    UserUser 用户 (或服务帐户) 执行触发事件的操作。The user (or service account) who performed the action that triggered the event.
    活动Activity 用户执行的活动。The activity performed by the user. 此值对应于您在 "活动" 下拉列表中选择的活动。This value corresponds to the activities that you selected in the Activities dropdown list. 对于来自 Exchange 管理员审核日志的事件,此列中的值为 Exchange cmdlet。For an event from the Exchange admin audit log, the value in this column is an Exchange cmdlet.
    ItemItem 由于对应的活动而创建或修改的对象。The object that was created or modified because of the corresponding activity. 例如,已查看或修改的文件,或已更新的用户帐户。For example, the file that was viewed or modified, or the user account that was updated. 此列中的所有活动都不包含值。Not all activities in this column have a value.
    详情Detail 有关活动的任何其他详细信息。Any additional detail about an activity. 并非所有活动都具有值。Not all activities have a value.

    有关在审核日志中搜索、筛选和导出结果的更多详细信息和提示,请参阅 搜索审核日志For more details and tips on searching, filtering, and exporting results in the audit log, see Search the audit log.

  7. 在 " 结果 " 部分中,从列表中选择一个事件以查看有关它的更多详细信息。In the Results section, select an event from the list to view more details about it.

  8. 详细信息页面显示事件属性,这些属性基于发生事件的 Office 365 服务。A Details page shows the event properties, which are based on which Office 365 service that the event occurred in. 选择 " 详细信息 " 查看更多内容。Select More information to view more.

    审核日志详细信息

工作区分析活动Workplace Analytics activities

下表介绍了审核日志可以记录的工作区分析活动。The following tables describe Workplace Analytics activities that the audit logs can record.

管理活动Admin activities

活动Activity 说明Description
上载的组织数据Uploaded org data 管理员上载的组织数据文件Admin uploaded organizational data file
更新的隐私设置Updated Privacy Setting 管理员更新的设置Admin updated settings
已更新数据访问设置Updated data access setting 管理员更新的数据访问设置Admin updated data access settings

授权活动Authorization activities

活动Activity 说明Description
用户登录User logged in 用户使用有效的用户角色登录到工作区分析User logged in to Workplace Analytics with a valid user role
用户已注销User logged out 用户已选择注销工作区分析User selected to log out of Workplace Analytics

查询数据访问 (分析师) 活动Query data access (analyst) activities

活动Activity 说明Description
执行的查询Executed Query 分析师运行查询Analyst ran a query
已取消查询Cancelled Query 分析师取消了一个正在运行的查询Analyst cancelled a running query
删除结果Delete Result 分析师删除了查询结果Analyst deleted a query result
已下载报告Downloaded Report 分析下载了查询结果Analyst downloaded a query result
已访问 OData 链接Accessed OData link 分析师访问了 OData 链接Analyst accessed the OData link
创建会议排除Create Meeting Exclusion 分析师创建了新会议排除规则Analyst created a new meeting exclusion rule
更新了首选会议排除Updated Preferred Meeting Exclusion 分析师更新了首选会议排除规则Analyst updated the preferred meeting exclusion rule

浏览数据访问活动Explore data access activities

活动Activity 说明Description
已查看“探索”页Viewed Explore 分析家查看了一个或多个浏览页。Analyst viewed one or more Explore pages.

有关事件属性的详细信息,请参阅 审核日志中的详细属性For more information about event properties, see Detailed properties in the audit log.

使用 PowerShell 搜索日志Use PowerShell to search the logs

您还可以使用 PowerShell 根据您的登录访问审核日志。You can also use PowerShell to access the audit logs based on your login. 若要使用新的-PSSession 命令,你的帐户必须具有:To use the New-PSSession command, your account must have:

  • 向其分配的 Exchange Online 许可证。An Exchange Online license assigned to it.
  • 对 Office 365 租户的审核日志的访问权限。Access to the audit log for the Office 365 tenant.

下面的代码示例使用 UnifiedAuditLog 命令来获取 Workplace Analytics 审核日志条目。The following example code uses the Search-UnifiedAuditLog command to get Workplace Analytics audit log entries.

  ```

   Set-ExecutionPolicy RemoteSigned
   $UserCredential = Get-Credential
   $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
   Import-PSSession $Session
   Search-UnifiedAuditLog -StartDate 1/1/2019 -EndDate 1/31/2019 -RecordType WorkplaceAnalytics-ResultSize 1000 | Format-Table | More

  ```

有关连接到 Exchange Online 的详细信息,请参阅 连接到 Exchange Online PowerShellFor more about connecting to Exchange Online, see Connect to Exchange Online PowerShell.