Yes, Microsoft Sentinel can provide visibility and logging capabilities for activities in SharePoint and OneDrive for Business. To track when a file is shared externally, you can use the Office 365 Audit Logs, which store information about various activities in your Microsoft 365 environment, including file-sharing events.
In Sentinel, you can query the Office 365 Audit Logs using Kusto Query Language (KQL) to retrieve the desired information. Here's an example of a KQL query that can help you get information about external file sharing events:
OfficeActivity
| where Operation == "SharingInvitationCreated" and SiteUrl contains "your-sharepoint-site-url"
In this query, you filter the OfficeActivity
table to retrieve events where the Operation
is "SharingInvitationCreated," indicating the creation of a sharing invitation. You can also include additional filters or refine the query based on your specific requirements, such as a particular SharePoint site URL.
The same table and field names may vary based on your Sentinel configuration and data connectors. You can explore the available tables and fields using the Log Analytics workspace associated with your Sentinel instance.
Remember, you might need to enable auditing and ensure that the necessary logs are ingested into your Sentinel workspace. Additionally, access to the Office 365 Audit Logs might require appropriate permissions within your Microsoft 365 tenant.