The Audit Timeline shows you a chronological view of all activity in your Office 365 environment. It enables you to identify suspicious activity, see exactly which documents, sites, or mailboxes your users are accessing, the actions they are taking, and even where these users are located.
Exploring and modifying the report
At the top of the report, you can view an overview of the activity. This section is fully customisable, so you can choose the information you want to view. To personalise this section, just click on the icon in the lower-left corner of each graph, and choose the chart you wish to see. You can also switch to a map view, which will plot events to their corresponding location. You can also click on a section of the chart to show a modified view with just that activity.
There are numerous filters available to isolate the events you need to see. You can segment the data by activity, user, date, service, or any other predefined filters, and you can also choose to include or exclude a set of users from the view. The timeline view gives you all events in chronological order, displayed in a ‘news feed’ style layout. Every activity listed in the timeline view is fully expandable - simply click ‘All Information’ to get all additional details for that event. If you would prefer to see the information in a table format, you can switch between ‘timeline’ and ‘table’ at the top of the view.
In the top-level view, you can see that the event above took place on SharePoint at 13:48. You can see which user took this action, as well as what they did. It even shows you the type of access (in this case – Web) and the device used. If you expand the event, you can see various other details, which will enable you to further investigate the event, and evaluate its risk.