Export audit events (#5179)

JV0812 · jpipkin1 · web-flow · commit 33d45f7370aa · 2025-03-28T09:29:18.000Z
* Export search results - audit event

* minor fix

* Update docs/search/get-started-with-search/search-basics/export-search-results.md

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;

* Update docs/search/get-started-with-search/search-basics/export-search-results.md

* Update export-search-results.md

---------

Co-authored-by: John Pipkin (Sumo Logic) &lt;jpipkin@sumologic.com&gt;
diff --git a/docs/search/get-started-with-search/search-basics/export-search-results.md b/docs/search/get-started-with-search/search-basics/export-search-results.md
@@ -29,3 +29,35 @@ You can export message fields to a CSV file, either just the fields displayed, o
 Click the gears icon in the top-right corner of the **Messages** tab, and then select **Export** **(Display Fields)** to export only the messages displayed, or **Export (All Fields)** to export all message fields. If the export is successful, your browser will automatically download the data and save it to a CSV file.  
 
 ![export fields](/img/search/get-started-search/search-basics/export-search-results/export-fields.png)
+
+:::info
+Audit events will be generated for every search results export (displayed fields or all fields). Administrators can use `_sourceCategory=content` with `eventName:"SearchExported"` to view these [audit events](/docs/manage/security/audit-indexes/audit-event-index/) to ensure that no sensitive data is exported.
+
+<details>
+  <summary>Sample log message</summary>
+  ```json
+    {
+       "userIdentity":{
+          "userId":"00000000001***1",
+          "userEmail":"***.****@sumologic.com"
+       },
+       "searchExportIdentity":{
+          "exportId":"67C19***5BB4D96"
+       },
+       "sessionId":"0FF9*****B09F",
+       "searchQuery":"_sourcecategory \**00 \"kubernetes/system\" \"error\"\n| where _pid \u003* \"****\"",
+       "exportedCount":11,
+       "location":"service UI raw",
+       "status":"SUCCESS",
+       "eventType":"Audit",
+       "severityLevel":"Info",
+       "accountId":"00000000005****7",
+       "eventId":"da6a5a2b-****-****-b01c-b63dba93fa66",
+       "eventName":"SearchExported",
+       "eventTime":"2025-03-24T15:49:27.664Z",
+       "eventFormatVersion":"1.0 beta",
+       "subsystem":"content"
+    }
+  ```
+</details>
+:::
