Audit Vault for M365

A powerful and cost-effective solution to retain and surface your Microsoft 365 audit log records.


Retain your SharePoint Online Audit Log Records


Why Use Audit Vault for M365:

Audit Vault for M365 will retain all audit log and user activity from SharePoint Online. Additionally, various system and admin events are preserved so that all your SharePoint Online Audit Logs are stored securely without purchasing expensive Microsoft licenses.

Track what user has performed which action.
Run reports to be aware of user activity.
Stay compliant with industry and regulatory standards.
Detect suspicious activities.

With Audit Vault for M365, generate SharePoint Audit Reports that allow your organization to to report and track the audit history for the entire lifespan of your documents and folders in SharePoint Online.


What type of audit information is retained from SharePoint Online?

Below is a listing of all the audit properties that Audit Vault for M365 preserves from Microsoft. Users are able to run reports to track down user activity, and detect suspicious activity such as deleting sensitive information.

Audit Properties Retained from SharePoint Online
Property Description
Creation Time: The date and time when the audit event or operation occurred in SharePoint. Stored in UTC Time.
Microsoft Id: Unique Id of the audit log from Microsoft.
Operation: The name of activity or event that had occurred when generating the audit log. Examples:
  • AccessRequestApproved
  • AccessRequestCreated
  • AddedToGroup
  • AddedToSecureLink
  • AnonymousLinkCreated
  • AnonymousLinkUpdated
  • AnonymousLinkUsed
  • ClientViewSignaled
  • CommentCreated
  • CompanyLinkCreated
  • CompanyLinkRemoved
  • CompanyLinkUsed
  • FileAccessed
  • FileAccessedExtended
  • FileCheckedIn
  • FileCheckedOut
  • FileCheckOutDiscarded
  • FileCopied
  • FileDeleted
  • FileDeletedFirstStageRecycleBin
  • FileDownloaded
  • FileModified
  • FileModifiedExtended
  • FileMoved
  • FilePreviewed
  • FileRecycled
  • FileRenamed
  • FileRestored
  • FileSyncUploadedFull
  • FileUploaded
  • FileVersionsAllDeleted
  • FolderCreated
  • FolderDeletedFirstStageRecycleBin
  • FolderModified
  • FolderMoved
  • FolderRecycled
  • FolderRenamed
  • GroupAdded
  • GroupRemoved
  • ListColumnCreated
  • ListColumnUpdated
  • ListContentTypeUpdated
  • ListCreated
  • ListDeleted
  • ListItemCreated
  • ListItemDeleted
  • ListItemRecycled
  • ListItemUpdated
  • ListItemViewed
  • ListUpdated
  • ListViewCreated
  • ListViewed
  • ListViewUpdated
  • PagePrefetched
  • PageViewed
  • PageViewedExtended
  • PermissionLevelAdded
  • PIMRoleAssigned
  • RemovedFromGroup
  • SearchQueryPerformed
  • SecureLinkCreated
  • SecureLinkUpdated
  • SecureLinkUsed
  • SharingInheritanceBroken
  • SharingLinkUsed
  • SharingPolicyChanged
  • SharingRevoked
  • SharingSet
  • SignInEvent
  • SiteCollectionAdminAdded
  • SiteCollectionAdminRemoved
  • SiteCollectionCreated
  • SiteCollectionQuotaModified
  • SiteColumnCreated
  • SiteDeleted
  • SiteLocksChanged
  • WACTokenShared
User Id: The name of the user that performed the action that generated the SharePoint Online Audit Log.
Object Id: The full path to the item in SharePoint for which the audit entry is for
Item Type: They type of object that the Microsoft audit log was generated for.
Additional Properties: Stores any new properties from SharePoint Audit Log that are not captured elsewhere.
App Access Context: The application context for the user or service principal that performed the action that generated the SharePoint audit log.
Application Id: The ID of the application performing the operation in SharePoint.
Application Display Name: The display name of the application performing the operation that created the SharePoint Online audit log.
Asserting Application Id: The Id of the asserting application that generated the SharePoint Audit record.
Authentication Type: Example: FormsCookieAuth, OAuth
Browser Name The name of the browser from where the Audit Entry was created from SharePoint. (example Edge, Chrome, Firefox)
Browser Version: The version of the Browser that generated the log (example 121.0.0.0)
Client App Id: The Id of the Microsoft SharePoint app that performed the access on behalf of the user.
Client Ip: The IP address of the device that was used when the SharePoint Audit operation was logged.
Client Request Id: A GUID that can be used to correlate this cmdlet with the Security & Compliance Center UX operations.
Comment Id: Example: 0, 1, 2
Company IP: The IP address of the Company that when the audit entry was logged.
Correlation Id: An identifier that can be used to correlate a specific user's actions across Microsoft 365 services.
Custom Event: Optional string for custom events for SharePoint Audit Logs.
Custom Unique Id: Example 1, 2
Customized Doc Library: Indicates if the document library was customized or not from where the audit log entry was generated. Example 0, 1
Destination File Extension: The file extension of a SharePoint file that is copied or moved. This property is displayed only for FileCopied and FileMoved events.
Destination File Name: The name of the SharePoint file that is copied or moved. This property is displayed only for FileCopied and FileMoved events.
Destination Label: The final label of the file after it's changed by a user action.
Destination Relative URL: The URL of the destination folder where a SharePoint Online file is copied or moved. This property is displayed only for FileCopied and FileMoved SharePoint Audit events.
Device Display Name: The display name of the device. The Audit Log retained may also be an IP Address.
Do Not Distribute Event: Was the SharePoint audit log a do not distribute event. Example 0, 1
Event Data: Retains follow-up information about the sharing action withing SharePoint, such as adding a user to a group or granting edit permissions.
Event Source: Identifies that an event occurred in SharePoint Online. Possible values are SharePoint or ObjectModel.
File Size In Bytes: The size of the file in bytes for which the audit log entry was created.
File Sync Bytes Committed: The size in bytes during when syncing files in SharePoint.
From App: Was the event audit log triggered from an application. Example 0, 1
High Priority Media Processing: Example 0, 1
Implicit Share: Yes/No if the audit log retained was implicitly shared.
Is Doc Library: This value is set to True if the SharePoint list is of the type Document Library.
Is Hidden List: This value is set to True if the SharePoint list is hidden for the audit log.
Is Managed Device: Indicates if the audit log event was triggered from a Managed Device. Example 0, 1
Is Workflow: This is set to True if SharePoint Workflows triggered the audited event.
Item Count: The number of items affected by the audit event from Microsoft 365.
List Base Template Type: The list definition type on which the list is based.
List Base Type: Specifies the base type for a list for the retained audit log.
List Id: The Guid of the SharePoint list.
List Item Unique Id: The Guid of uniquely an identifiable item of list.
List Name: The name of the SharePoint list for with the audit log was generated.
List Server Template: The Id of the template used for the list that the SahrePoint Audit Log was generated from.
List Title: The title of the SharePoint list.
List Url: The URL of the list relative to the containing website.
List Item Version: The ListItemVersion (int) stores the version number of the list item for which the audit log was generated for.
Machine Domain Info: Information about device sync operations.
Machine Id: Information about device sync operations.
Modified Properties: The property is included for admin audit events, such as adding a user as a member of a site or a site collection admin group. The property includes the name of the property that was modified (for example, the Site Admin group), the new value of the modified property (such the user who was added as a site admin), and the previous value of the modified object.
Organization Id: Contains the GUID for your organization's Microsoft 365 tenant ID.
Permission: Example: View, RestrictedView, Edit etc
Platform: Retains platform information for the audit log created. Example : iPad, MacOS, WinDesktop
Record Type: Stores the Id of the record type for the SharePoint Audit Log.
Examples:
4: SharePoint events
6: SharePoint file operation events.
36: SharePoint List events.
55: SharePoint list content type events.
Request Id: A GUID that can be used to correlate this cmdlet with the Security & Compliance Center UX operations. This information is only used by Microsoft support.
Result Status: Indicates whether the action (specified in the Operation property) was successful or not. Possible values are Succeeded, PartiallySucceeded, or Failed.
Scope: Was this event created by a hosted O365 service or an on-premises server? Possible values are online and onprem. Note that SharePoint is the only workload currently sending events from on-premises to O365.
Search Query Text:
Sensitivity Label Id: The current sensitivity label ID of the file.
Sensitivity Label Owner Email: The email address of the owner of the sensitivity label.
Sharing Link Scope:
Sharing Type: The type of sharing permissions that were assigned to the user that the resource was shared with. This user is identified by the UserSharedWith parameter.
Site: The GUID of the SharePoint Online site where the file or folder accessed by the user is located.
Site Url: The URL of the site where the file or folder accessed by the user is located.
Skip for Service Worker: Indicates if the event that generated the audit record in SharePoint was skipped by a service. Example 0, 1
Source: Source of the alert. Examples: list, site, unknown.
Source File Extension: The file extension of the file that was accessed by the user. This property is blank if the object that was accessed is a SharePoint folder.
Source File Name: The name of the file or folder in SharePoint Online accessed by the user.
Source Label: The original label of the file before it's changed by a user action.
Source Name: The SharePoint Source Name that triggered the audited operation. Examples: SharePoint , ObjectModel.
Source Relative URL: The URL of the folder that contains the file accessed by the user.
Target User or Group Name: Stores the UPN or name of the target user or group that a resource was shared with.
Target User or Group Type: Identifies whether the target user or group is a Member, Guest, Group, or Partner.
Template Type Id: Stores the Guid or name of the template type that caused the creation of the SharePoint Audit Log.
Unique Sharing Id: The unique sharing ID associated with the sharing operation.
User Agent: Information about the user's client or browser. This information is provided by the client or browser.
User Key: An alternative ID for the user identified in the UserId property. This property is populated with the passport unique ID (PUID) for events performed by users in SharePoint, OneDrive for Business, and Exchange.
User Session Id: Contains the User's session id for the SharePoint Online event.
User Shared With: The user that a resource was shared with.
User Type: The type of user that performed the operation that generated the SharePoint Audit Log. See the UserType table for details on the types of users.
0 = Regular
1 = Reserved
2 = Admin
3 = DcAdmin
4 = System
5 = Application
6 = ServicePrincipal
7 = CustomPolicy
8 = SystemPolicy
Version: The version number of the Microsoft Management Api that executed the request to retrieve the SharePoint Audit Logs.
Web Id: A Guid that stores the Web Id.
Workload: The Office 365 service where the activity occurred.
Zip File Name: The name of the zip file that is created in SharePoint that caused the audit entry to be created.


Note: Audit vault for M365 will only store the values for the properties listed above if they are returned from Microsoft. Some information is present only if it is applicable.


View Microsoft Audit Logs directly from SharePoint Online

Install the "Audit History for SharePoint" app from Microsoft AppSource. The Audit History for SharePoint menu is a free app that can be added to your SharePoint tenant. The app allows you to enable an "Audit history" menu item and a command bar button directly in SharePoint. When used, the menu opens the Audit Vault for M365 "View SharePoint Item's Audit History" Report to display all the audit logs for the selected SharePoint Item.

View Audit History for SharePoint on Microsoft AppSource »