Searching the Office 365 Unified Audit Log for Specific Activities, Sites, and Users

  • Article

Last week, I was working with a large government customer in a consolidated tenant (read: all agencies in a single, centrally-managed tenant).  One of the questions that was presented was how to search and filter the audit log for entries relating to the following categories:

  • Files shared by an agency or department's users
  • Files accessed in an agency's SharePoint site collection

To that end, I based together this script.  You'll need to change things like "domain1.com" and <tenant> to reflect your particular environment, but this should get you off to the races:

 # Set Dates
$StartDate = (Get-Date).AddDays(-90)
$EndDate = (Get-Date)

# Select users and domains
[array]$Domains = @('domain1.com','domain2.com')
$UserIDs = (Get-Msoluser -All).UserPrincipalName | ? { $_ -match "$Domains" }

# Activites to audit
$SharingOperations = @('AccessRequestAccepted', 'SharingInvitationAccepted', 'PermissionLevelAdded', 'AddedToSecureLink', 'SharingInvitationBlocked', 'PermissionLevelsInheritanceBroken', 'SharingInheritanceBroken', 'CompanyLinkCreated', 'AccessRequestCreated', 'AnonymousLinkCreated', 'SecureLinkCreated', 'SharingInvitationCreated', 'SecureLinkDeleted', 'AccessRequestDenied', 'PermissionLevelModified', 'CompanyLinkRemoved', 'AnonymousLinkRemoved', 'PermissionLevelRemoved', 'SharingInheritanceReset', 'SharingSet', 'AccessRequestUpdated', 'AnonymousLinkUpdated', 'SharingInvitationUpdated', 'AnonymousLinkUsed', 'SharingRevoked', 'CompanyLinkUsed', 'SecureLinkUsed', 'AddedToSecureLink', 'RemovedFromSecureLink', 'SharingInvitationRevoked')
$FileAccessOperations = @('FileAccessed', 'FileAccessedExtended', 'PageViewed', 'PageViewedExtended')

# Agency SharePoint Site(s))
[array]$Sites = @('https://<tenant>.sharepoint.com/sites/<toplevelsite1>/*','https://<tenant>.sharepoint.com/sites/<toplevelsite2>/*')

# Find what objects your users have shared
[array]$SharingLog = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -UserIds $UserIDs -Operations $SharingOperations -ResultSize 5000)

# Find what objects have been shared under SPO sites you own
$SharingLog += (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations $SharingOperations -ResultSize 5000 -ObjectIds $Sites)

# Find what objects in SPO sites you own that have been accessed
$FileAccessLog = (Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -Operations $FileAccessOperations -ResultSize 5000 -ObjectIds $Sites)

$Results = @()
foreach ($Entry in $SharingLog)
{
# Initialize temp object
$temp = "" | select Date, IPAddress, Client, Operation, ObjectId

# Convert the JSON data 
$data = $Entry.AuditData | ConvertFrom-Json

# Populate the return object
$temp.Date = $data.CreationTime
$temp.IPAddress = $data.ClientIP
$temp.Client = $data.Client
$temp.Operation = $data.Operation
$temp.ObjectId = $data.ObjectId

# Add object to $Results array
$Results += $temp
}

# Add results of FileAccessLog to $Results
foreach ($Entry in $FileAccessLog)
{
# Initialize a temp object
$temp = "" | select Date, IPAddress, Client, Operation, ObjectId

# Convert the JSON data 
$data = $Entry.AuditData | ConvertFrom-Json

# Populate the return object
$temp.Date = $data.CreationTime
$temp.IPAddress = $data.ClientIP
$temp.Client = $data.Client
$temp.Operation = $data.Operation
$temp.ObjectId = $data.ObjectId

# Add object to $Results array
$Results += $temp
}

$Results | Export-Csv -Path ".\FileSharingAndAccessAuditLogData.csv" -NoTypeInformation -Force

From there, you can bring the data into Excel and filter it as you see fit.  If you're enterprising, you can run this interactively and look at the available properties in $temp to see what other things you want to include.

For further reading about operations and record types and all the news that's fit to print:

If you or anyone you know have crafted cool unified audit log searches, I'd love to see them.