Skip to content
SmiKar Software

Pulling Activity History for HR or Legal

4 min read

A walkthrough for compliance, audit, and HR leads who need a defensible record of one person's Microsoft 365 activity over a specific date range. The output is a CSV with full chain of custody — timestamps, IPs, user agents, sites, operations — that can be handed to legal counsel, HR, or an external auditor without further transformation.

Burrow's Forage tool is the surface you use. This article walks the process end to end.

Before you start

Have these pieces of information in hand:

  • The subject's UPN (their firstname.lastname@yourcompany.com style email address).
  • The date range the audit covers. Convert any local-time bounds to UTC — Forage searches in UTC.
  • (If relevant) which sites or labels the question is about — narrows the result set significantly.

The most common ask is "show me everything user X did between dates Y and Z." Forage answers that in one query.

Step 1: Open Forage and set the subject

  1. Open the Burrow dashboard → Forage in the left navigation.
  2. In User contains, type the subject's UPN (or a unique substring of it).
  3. In Since (UTC) and Until (UTC), set the date bounds.
  4. Leave other filters blank unless the question is narrowly scoped (e.g. "what did this user do on the Finance site?").

Step 2: Check whether the data needs rehydrating

Burrow keeps roughly the last 14 days of activity on disk for instant searching. Older months live in your Azure Blob cold-storage container and need to be rehydrated before Forage can search them.

If the date range extends beyond the on-disk window:

  1. Expand the Cold Storage panel at the top of the Forage page.
  2. Enter the subject's UPN in Entity.
  3. Enter the relevant months in From month / To month (YYYYMM format).
  4. Click Rehydrate. The job appears in the active-jobs list with a state that flips from queued to fetching to ready.
  5. Once ready, click the blue Search this entity button on the job row. Forage auto-fills the User filter and date range to span the rehydrated months and runs the search.

For step-by-step detail, see Cold storage rehydrate.

Step 3: Run the search and review

Click Search. Results paginate at 200 rows per page. Three aggregate cards sit above the table:

  • Top users — confirms the search is scoped correctly (should show only the subject).
  • Top ops — what kinds of operations dominate (downloads, shares, permission changes, accesses).
  • Top sites — which SharePoint sites were involved.

Scroll the results table for specific events. Each row has time (UTC), user, operation, object (with bytes if known), site, IP, and geography. Clicking any row opens an entity drill drawer if you need deeper context on that event.

Step 4: Export the CSV

Click the CSV button in the search action row. The download starts immediately and contains the full match set (capped at 200,000 rows server-side).

The exported CSV preserves:

  • Timestamp (UTC) — original audit timestamp from Microsoft.
  • User UPN — the subject's identifier.
  • Operation — the audit operation name (e.g. FileDownloaded, SharingSet, FileDeleted).
  • Object — filename or object identifier and byte size where applicable.
  • Site URL — the SharePoint location.
  • IP address and geography — source of the access.
  • User agent — the client used.

This is the same evidence Microsoft would surface in its own audit search; Burrow's value is that you ran the query in seconds and can hand the CSV directly to legal without further processing.

Step 5: Hit the row cap?

If you see a Capped badge on the stats bar above the results table, the result set exceeded the 200,000-row server-side limit and you only have the first 200,000 rows. Narrow the search and re-export. Common ways to narrow:

  • Scope by op class — Downloads only, or Shares only.
  • Scope by site — one site at a time for multi-site investigations.
  • Split the date range — two CSVs for two halves of the period.

Chain-of-custody considerations

For tribunal, court, or arbitration use, document the following when you hand the CSV over:

  • Date and time of export — Forage's filename auto-stamps to ISO 8601.
  • Operator who ran the export — recorded in the admin audit log automatically.
  • Search parameters — write down the exact User, Since, Until, and any other filters used.

The underlying audit data is Microsoft's; Burrow's role is to expose it queryable and exportable.

See also

Need help? support@smikar.com.

Previous
MITRE ATT&CK Technique Reference
Next
Configuring Alert Email Recipients

More in Squirrel

See all pages →
Configuring Alert Email Recipients
Custom Rules
Dismissal Auto-Suppress (Tier 2)
Entity Exceptions - Silencing Service-Account Noise
Internal Domains - Auto-Learned and Manual Override
Postures, Overrides, and Disabled Rules