Audit Vault user activity

You can get details about the activity of Vault users in Vault audits. For example, you can see which accounts edited retention rules or searched your organization's data. Vault users are accounts in organizational units with privileges to sign in to Vault and perform actions. Learn more about Vault privileges.

You can export Vault audit reports as CSV files. These files can be viewed in any spreadsheet viewer, including Google Sheets.

How to run a Vault audit report

  1. In Vault, go to Reports > Audit.
  2. In Select date range, include start and end dates for the audit.
  3. In Select Vault users, include users on whom you want to run the audit. The Vault users you enter here have Vault privileges; you are auditing their actions in Vault (for example, if they've set retention rules, searched in matters, modified holds, or performed any other administrative actions).
  4. In Select action types, check the boxes next to actions about which you want audit information. For example, you can select Retention to audit a Vault user's actions related to retention, such as which retention rules a Vault user created or modified and when.
  5. Click Download CSV. A CSV file that contains audit information is downloaded to your device.

Get definitions of the values in the CSV in What audits contain.

What audits contain

Each line of an audit provides information for one action. Each action has 11 values. Some values apply only to certain actions, and are empty for other actions.

Open all   |   Close all

Epoch milliseconds

The time that an action occurred in epoch milliseconds—the number of milliseconds that have elapsed since January 1, 1970 (midnight UTC/GMT). You don't have to do any conversions of epoch milliseconds, as each action is also recorded in human-readable time in the Date value.

Date

The time that an action occurred in human-readable time. The value includes the day of the week; the date; the hour, minute, and second. The time zone is always Pacific (–0700 or –0800).

Action

The action that occurred. Possible values:

Action value Description

ADD_COLLABORATOR_BEGIN

ADD_COLLABORATOR_END

Logged whenever someone shares a specific matter with other users. The ID number of the matter is recorded in the Matter. The email address of the user with whom that matter was shared is recorded in the Email value.

ADD_LITIGATION_HOLD_BEGIN

ADD_LITIGATION_HOLD_END

Logged whenever someone creates a hold in a matter. The ID number of the matter is recorded in the Matter value. The email address of the user whose content is on hold is recorded in the Name value.

ADD_RETENTION_RULE_BEGIN

ADD_RETENTION_RULE_END

Logged whenever someone creates a custom retention rule. The new rule is given a unique ID, which is recorded in the Name value. The retention period is recorded as "Period: # days" in the Details value.

CLOSE_INVESTIGATION_BEGIN

CLOSE_INVESTIGATION_END

Logged whenever someone closes a matter. The matter ID is recorded in the Matter value.

CREATE_EXPORT_BEGIN

CREATE_EXPORT_END

Deprecated–Replaced by EXPORT. Reported for exports run in February 2014 or earlier.

Logged whenever someone exports documents that were searched for in a matter. The name of the export is recorded in the Name value. The search criteria are recorded in the Query string value.

CREATE_INVESTIGATION_BEGIN

CREATE_INVESTIGATION_END

Logged whenever someone creates a matter. The ID number of the matter is recorded in the Matter value. The name of the matter is recorded in the Name value.

CREATE_SAVED_QUERY_BEGIN

CREATE_SAVE_QUERY_END

Logged whenever someone saves a search query in a matter. The search criteria that were used are recorded in the Query string value.

DELETE_RETENTION_RULE_BEGIN

DELETE_RETENTION_RULE_END

Logged whenever someone deletes a custom retention rule. The ID number of the custom retention rule is recorded in the Name value.
DOWNLOAD_CROSS_MATTER_LITIGATION_HOLD_REPORT Logged whenever someone downloads the list of holds from Domain Holds, User Holds, or Group Holds.
DOWNLOAD_PER_MATTER_LITIGATION_HOLD_REPORT Logged whenever someone downloads the list of holds within a matter. The ID number of the matter is recorded the Matter value.
EXPORT Logged whenever someone runs an export. The name of the export is recorded in the Name value. The search criteria are recorded in the Query string value.

MODIFY_DEFAULT_RETENTION_PERIOD_BEGIN

MODIFY_DEFAULT_RETENTION_PERIOD_END

Logged whenever someone modifies the default retention rule. The modified retention period is recorded as "Period: # days" in the Details value.

REMOVE_COLLABORATOR_BEGIN

REMOVE_COLLABORATOR_END

Logged whenever someone removes another user from a shared matter. The ID of the matter is recorded in the Matter value. The email address of the user with whom the matter is no longer shared is recorded in the Email value.

REMOVE_LITIGATION_HOLD_BEGIN

REMOVE_LITIGATION_HOLD_END

Logged whenever someone removes a hold on an account. The ID number of the matter is recorded in the Matter value. The email address of the user whose content is no longer on hold is recorded in the Name value.
SEARCH Logged whenever someone runs a search from a matter. The ID number of the matter is recorded in the Matter value. The search criteria are recorded in the Query string value.

UPDATE_RETENTION_RULE_BEGIN

UPDATE_RETENTION_RULE_END

Logged whenever someone modifies a custom retention rule. The ID number of the custom retention rule is recorded in the Name value. The modified retention period is recorded as "Period: # days" in the Details value.
VIEW_CROSS_MATTER_LITIGATION_HOLD_REPORT Logged whenever someone clicks User Holds to view which users are on hold.
VIEW_CUSTODIAN_LITIGATION_HOLD_REPORT Logged whenever someone clicks Domain Holds to view holds for organizational units or users.
VIEW_DOCUMENT Logged whenever someone views a document. A unique ID number for that document is recorded in the Name value.
VIEW_INVESTIGATION Logged whenever someone opens the Search or Export pages in a matter.
VIEW_MATTER_AUDIT_LOG Logged whenever someone runs an audit within a specific matter. The ID number of the matter is recorded in the Matter value.
VIEW_PER_MATTER_LITIGATION_HOLD_REPORT Logged whenever someone views holds in a matter. The ID number of the matter is recorded the Matter value.
VIEW_RETENTION_POLICY Logged whenever someone opens the Retention page.
VIEW_SYSTEM_AUDIT_LOG Logged whenever someone downloads an audit.
User

The email address of the Vault user who performed the action in the Action value.

Matter

For actions in a specific matter, the unique ID of the matter. The matter ID is part of the Vault URL for the matter.

Name

The information in this value depends on the action that the Vault user took:

  • If the user viewed a document (VIEW_DOCUMENT action), the unique ID of the document.

    Example: ACD7onr49fP6DqvgAvIDhboAqqth9q7ekwGc0xpC3xjhpylzQvvQoNKmBKyE9NL1Qdww4eA2SQSc5mOF0JJ_bV_tkVFU3TWIdIrBYOiZLw0eBA9-xL7A-pc

  • If the user added or removed a collaborator (ADD_COLLABORATOR_BEGIN/END or REMOVE_COLLABORATOR_BEGIN/END action), the email address of the user who was added or removed.
  • If the user created an export in a matter (CREATE_EXPORT_BEGIN/END action), the name of export.
Email

The email address of the collaborator who was added to or removed from a matter (ADD_COLLABORATOR_BEGIN/END or REMOVE_COLLABORATOR_BEGIN/END action).

Resource url

The URL of any document that the user viewed (VIEW_DOCUMENT action).

Query string

The search parameters the user entered for a specific search (SEARCH or SEARCH_COUNT action).

Example: query: "( Project X )"

Organization

The name of the organizational unit to which the action applies. For example, if the Vault user created a retention rule that applies to a specific organizational unit.

Details

The retention period in days that a user set for a custom retention rule. The period is indicated as "Period: # days."

How long information in audit logs persists

Actions in audit reports can't be deleted or truncated by Google or by any Vault administrator or user as long as your organization continues to use Vault.

If your organization terminates its Vault service, audit data is deleted after approximately 30 days.

Was this helpful?
How can we improve it?