Skip to main content
Skip table of contents

Advanced filters for Admin audit logs

Use Advanced Filters to limit your Admin audit logs query by:

  • Admin/application

  • Target

  • Activity

  • and more!

See all available filters in sapio365 Admin audit logs

The table below lists the properties that can be used in the filter query.

*For a list of activities and categories, refer to Microsoft Entra audit log categories and activities.

Activity*

Application Display Name - Initiated by

Application ID - Initiated by

Category*

Correlation ID

Date (UTC)

GUID

Operation type

Result Status

Service

Target Display Name

Target ID

Target Type

Target Username

User Display Name - Initiated by

User ID - Initiated by

Username - Initiated by

Combine filters with AND/OR operators for even more specific searches. Scroll down to see examples below.

Advanced filters are sticky

The filters you set remain until you change them or if you disable Advanced Filters setting.

This means that if you made a mistake in the filter query and no data was returned, you can adjust filters the next time you load Admin Audit Logs.

admin-audit-logs-advanced-filters.jpg

Ex. 1 - Get any Group management activity initiated by 2 admins

See steps and screenshot

This example retrieves all events that are in the category ‘GroupManagement’ and that were initiated by either admin A or admin B.

With this logic in mind, here’s how to build it:

  1. First select the ‘Category’ field and set it equal to ‘GroupManagement’.

  2. Next ‘Add group’.

  3. Click on ‘AND’ to set the operator between the groups.

  4. In the new group, select ‘Username - Initiated By’ field and set it equal to the username of the 1st admin.

  5. In the same group, ‘Add rule’ and click on 'OR' within the group.

  6. In the second rule, select ‘Username - Initiated By’ field and set it equal to the username of the 12nd admin.

  7. Once you’re done, review the resulting logical query.

ex1-adv-filters.jpg
4827e274-1a85-4d92-ada4-aa2caf139881.jpg

Ex.2 - Get all PIM-related events within a date range

See steps and screenshot

According to the list of Microsoft Entra audit log categories and activities, there are many activities related to PIM.

If you want all PIM related activity, it’s best to use advanced filters for the 4 categories (ApplicationManagement, GroupManagement, ResourceManagement, RoleManagement), and then apply a ‘text contains PIM' filter on the Activity column in the grid.

Since the date range and categories require their own ‘Rule group’, make sure to create the 2 groups first and remove the default non-grouped rule.

  1. Click ‘Add group’ twice.

  2. Delete the first non-grouped entry.

  3. Click ‘AND’ for the relationship between the groups.

  4. In the first group, ‘Add rule’ and set the time range using the calendar and time dials.

  5. Click ‘AND’ within that 1st group.

  6. In the second group, click ‘Add rule’ 3 times.

  7. Set each of these 4 rules on ‘Category’ equals ApplicationManagement, GroupManagement, ResourceManagement, RoleManagement respectively.

  8. Click ‘OR’ within that 2nd group.

ex2-adv-filters.jpg

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.

Contact Support Close