Sentinel - Monitor external file shares

Luís Costa 226 Reputation points
2023-07-04T17:29:52.3766667+00:00

Hello,

I have a question regarding Microsoft Sentinel.

Is there any table that stores information about when a file in Sharepoint or Onedrive for Bussiness is shared externally? My ideia is to build a KQL query to get this information.

Thanks for the help

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,221 questions
{count} votes

Accepted answer
  1. B santhiswaroop naik 395 Reputation points
    2023-07-04T17:56:31.79+00:00

    Yes, Microsoft Sentinel can provide visibility and logging capabilities for activities in SharePoint and OneDrive for Business. To track when a file is shared externally, you can use the Office 365 Audit Logs, which store information about various activities in your Microsoft 365 environment, including file-sharing events.

    In Sentinel, you can query the Office 365 Audit Logs using Kusto Query Language (KQL) to retrieve the desired information. Here's an example of a KQL query that can help you get information about external file sharing events:

    OfficeActivity

    | where Operation == "SharingInvitationCreated" and SiteUrl contains "your-sharepoint-site-url"

    In this query, you filter the OfficeActivity table to retrieve events where the Operation is "SharingInvitationCreated," indicating the creation of a sharing invitation. You can also include additional filters or refine the query based on your specific requirements, such as a particular SharePoint site URL.

    The same table and field names may vary based on your Sentinel configuration and data connectors. You can explore the available tables and fields using the Log Analytics workspace associated with your Sentinel instance.

    Remember, you might need to enable auditing and ensure that the necessary logs are ingested into your Sentinel workspace. Additionally, access to the Office 365 Audit Logs might require appropriate permissions within your Microsoft 365 tenant.

    1 person found this answer helpful.

0 additional answers

Sort by: Most helpful

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.