SharePoint Audit Log & Monitoring: Complete Compliance and Security Guide

Why SharePoint Audit Logging Is Non-Negotiable

Every document access, permission change, file download, and site modification in SharePoint Online generates an audit event. For organizations in regulated industries — healthcare, financial services, government — audit logs are the evidence trail required by HIPAA, SOC 2, SEC, FINRA, and other frameworks. For all organizations, audit logs are essential for security incident response.

Microsoft 365 Audit (formerly Office 365 Audit Logs) is the centralized audit service that captures SharePoint events alongside Exchange, Teams, and Azure AD activity.

Audit Log Architecture in Microsoft 365

Standard vs. Advanced Audit

| Feature | Standard Audit | Advanced Audit |

|---------|---------------|----------------|

| Included in | E3, Business Premium | E5 / E5 Compliance add-on |

| Retention | 90 days | E5: 1 year; 10-year add-on available |

| Bandwidth | Standard API limits | Higher bandwidth API access |

| Intelligent insights | No | Yes (critical events flagged) |

| MailItemsAccessed | Limited | Full logging |

| Cost | Included in E3 | E5 or $12/user/month add-on |

Recommendation: Any organization with formal compliance requirements should have E5 Compliance (or equivalent) for 1-year audit retention minimum. Financial services organizations with 7-year record retention requirements should use the 10-year Advanced Audit add-on.

Where Audit Logs Live

Access: Microsoft Purview compliance portal → Audit → Start recording

Or PowerShell:

```powershell

Connect-IPPSSession

# Search audit logs for last 24 hours

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-1) `

-EndDate (Get-Date) `

-RecordType SharePoint `

-ResultSize 1000

```

Critical SharePoint Events to Monitor

Category 1: High-Priority Security Events (Alert Immediately)

| Event | AuditData Operation | Why It Matters |

|-------|-------------------|----------------|

| File downloaded in bulk | FileDownloaded | Data exfiltration indicator |

| External user added to site | AddedToGroup + guest | Unauthorized external access |

| Admin role assigned | Add member to role | Privilege escalation |

| Sensitivity label downgraded | SensitivityLabelChanged | Policy bypass attempt |

| Site permissions changed broadly | PermissionLevelAdded | Access control weakening |

| Malware detected in file | MalwareDetectionEvent | Active threat |

| Anonymous link created for restricted content | SharingLinkCreated | Data exposure risk |

Category 2: Compliance Events (Review Weekly)

| Event | AuditData Operation | Compliance Relevance |

|-------|-------------------|---------------------|

| File accessed by privileged user | FileAccessed | Insider risk, need-to-know |

| Record unlocked | RecordUnlocked | Records integrity |

| Retention policy modified | SetRetentionCompliancePolicy | Records tampering |

| Site collection admin added | SiteCollectionAdminAdded | Privilege audit |

| eDiscovery hold applied/removed | HoldApplied, HoldRemoved | Legal hold integrity |

| DLP policy match | DLPRuleMatch | Data protection events |

Category 3: Operational Events (Monthly Review)

| Event | Why Review |

|-------|-----------|

| Site created | Site sprawl governance |

| Site deleted | Recovery window check |

| Site storage exceeded | Capacity planning |

| List/library deleted | Accidental deletion investigation |

| Sharing invitation accepted | Guest access tracking |

Setting Up Audit Log Retention Policies

For E5 tenants, configure custom audit retention policies (beyond the default 1-year):

```powershell

# Create 3-year retention policy for SharePoint audit events

Connect-IPPSSession

New-UnifiedAuditLogRetentionPolicy `

-Name "SharePoint 3-Year Audit Retention" `

-Description "Retain SharePoint audit logs for 3 years per SOC 2 requirements" `

-RecordTypes SharePoint, SharePointFileOperation, SharePointSharingOperation `

-RetentionDuration ThreeYears `

-Priority 1

```

Available retention durations: ThreeMonths, SixMonths, NineMonths, TwelveMonths, ThreeYears, FiveYears, SevenYears, TenYears (10-year requires add-on).

KQL Queries for SharePoint Audit Analysis

Use these Keyword Query Language searches in the Purview Audit portal:

Query 1: Find All Downloads by External Users

```

Operations:FileDownloaded UserType:Guest

```

Query 2: Bulk Download Detection (>20 files by one user in one session)

```

Operations:FileDownloaded

```

Then export to CSV and analyze with Excel/PowerShell for users with >20 downloads in <1 hour.

```powershell

# PowerShell bulk download detection

$logs = Search-UnifiedAuditLog `

-StartDate (Get-Date).AddDays(-7) `

-EndDate (Get-Date) `

-Operations FileDownloaded `

-ResultSize 5000

$byUser = $logs | Group-Object -Property {

$_.AuditData | ConvertFrom-Json | Select-Object -ExpandProperty UserId

} | Where-Object Count -gt 20

$byUser | Select-Object Name, Count | Sort-Object Count -Descending

```

Query 3: Anonymous Sharing Link Creations

```

Operations:AnonymousLinkCreated

```

Query 4: Sensitivity Label Changes (Downgrade detection)

```

Operations:SensitivityLabelChanged

```

Export and filter for cases where new label has lower protection than old label.

Query 5: Permission Changes in Last 30 Days

```

Operations:PermissionLevelAdded,PermissionLevelModified,AddedToGroup,RemovedFromGroup

```

Query 6: Site Deletion Events

```

Operations:SiteDeleted,GroupDeleted

```

Real-Time Alerting Configuration

Microsoft Purview Alert Policies

Create alert policies in Purview for immediate notification of critical events:

```powershell

# Alert when malware is detected in SharePoint

New-ProtectionAlert `

-Name "SharePoint Malware Detection Alert" `

-Category ThreatManagement `

-Severity High `

-Operation MalwareDetectionEvent `

-NotifyUser "[email protected]", "[email protected]" `

-AggregationType None

# Alert for bulk download (>50 files/hour)

New-ProtectionAlert `

-Name "Bulk File Download Alert" `

-Category DataAdministration `

-Severity Medium `

-Operation FileDownloaded `

-Threshold 50 `

-TimeWindow 60 `

-NotifyUser "[email protected]"

# Alert for anonymous sharing links

New-ProtectionAlert `

-Name "Anonymous Link Created Alert" `

-Category DataAdministration `

-Severity Medium `

-Operation AnonymousLinkCreated `

-NotifyUser "[email protected]", "[email protected]"

```

Microsoft Sentinel Integration

For enterprise security operations centers (SOC), stream Microsoft 365 audit logs to Microsoft Sentinel:

• Enable the Microsoft 365 connector in Sentinel (Connectors → Microsoft 365)
• Select: SharePoint, Exchange, Teams, Azure AD logs
• Logs appear in the `OfficeActivity` table in Log Analytics

Sentinel KQL queries for SharePoint:

```kusto

// SharePoint bulk download detection in Sentinel

OfficeActivity

| where TimeGenerated > ago(24h)

| where RecordType == "SharePointFileOperation"

| where Operation == "FileDownloaded"

| summarize DownloadCount=count() by UserId, bin(TimeGenerated, 1h)

| where DownloadCount > 20

| order by DownloadCount desc

```

```kusto

// SharePoint external sharing events last 7 days

OfficeActivity

| where TimeGenerated > ago(7d)

| where RecordType == "SharePointSharingOperation"

| where Operation in ("SharingInvitationCreated", "AnonymousLinkCreated", "SharingLinkCreated")

| project TimeGenerated, UserId, Operation, OfficeObjectId, TargetUserOrGroupName

| order by TimeGenerated desc

```

SharePoint Admin Center Usage Reports

For operational monitoring (not compliance audit), use the SharePoint Admin Center Usage reports:

Site usage report (Admin Center → Reports → Usage):

• Active sites (visited in last 30 days)
• Storage used per site
• Files viewed/edited/synced
• Pages visited

OneDrive usage report:

• Files synced per user
• Storage per user
• Inactive accounts (not accessed in 90 days)

These reports are available via Microsoft Graph API for custom dashboards:

```powershell

# Get SharePoint site activity via Graph API

$token = Get-MgUserToken # Using Microsoft Graph PowerShell module

Invoke-MgGraphRequest -Method GET `

-Uri "https://graph.microsoft.com/v1.0/reports/getSharePointSiteUsageDetail(period='D30')" `

-OutputFilePath "C:ReportsSharePoint-Usage-30days.csv"

```

Compliance Reporting for Audit Requirements

HIPAA Audit Control (§164.312(b))

HIPAA requires access controls and audit controls for ePHI. SharePoint evidence to collect:

• Quarterly: Export all FileAccessed events for sites containing ePHI
• Monthly: Review user access to ePHI document libraries (permission reports)
• Annually: Full access review of all users with access to HIPAA-designated sites
• On demand: Provide audit trail for any PHI access within 30 days of request

SOC 2 Type II Audit Evidence

For CC6.2 (logical access), CC6.3 (access removal), and CC7.2 (monitoring):

• CC6.2: Export all permission grant events (AddedToGroup, PermissionLevelAdded) for SOC period
• CC6.3: Export all access removal events (RemovedFromGroup) for terminated employees — must show access removed within SLA (typically 24-48 hours)
• CC7.2: Document alert policies configured, provide alert log for audit period

FINRA/SEC Record Keeping

Export SharePoint audit logs to immutable storage monthly:

```powershell

# Export SharePoint audit logs to Azure Blob Storage (immutable)

$startDate = (Get-Date).AddMonths(-1).ToString("yyyy-MM-01")

$endDate = (Get-Date).ToString("yyyy-MM-01")

$logs = Search-UnifiedAuditLog `

-StartDate $startDate `

-EndDate $endDate `

-RecordType SharePoint `

-ResultSize 5000

$logs | Export-Csv "C:AuditExportsSharePoint-Audit-$(Get-Date -Format 'yyyyMM').csv" `

-NoTypeInformation

# Upload to Azure Blob (WORM-configured container)

$storageContext = New-AzStorageContext `

-StorageAccountName "compliancelogs" `

-StorageAccountKey $storageKey

Set-AzStorageBlobContent `

-Container "sharepoint-audit-logs" `

-File "C:AuditExportsSharePoint-Audit-$(Get-Date -Format 'yyyyMM').csv" `

-Context $storageContext

```

SharePoint Audit Log Best Practices Checklist

• [ ] Audit logging enabled in Microsoft Purview (should be on by default, verify)
• [ ] Audit retention policy set to meet regulatory requirements (90 days minimum, 1+ years for regulated industries)
• [ ] Alert policies created for: malware detection, bulk downloads, anonymous link creation, privilege escalation
• [ ] Monthly audit log export to immutable storage (Azure Blob, WORM policy)
• [ ] Quarterly access review of all SharePoint sites with sensitive data
• [ ] Sentinel or equivalent SIEM receiving M365 audit logs in real time
• [ ] Runbook documented for common incident types (who to notify, what to review, escalation path)
• [ ] Annual test of audit log retrieval for simulated incident (verify logs are accessible and complete)

Conclusion

SharePoint audit logging is not a set-and-forget task — it requires ongoing monitoring, regular exports, and periodic review to deliver compliance value. The investment in proper audit configuration pays dividends when an incident occurs (rapid investigation capability) and during regulatory audits (clear, organized evidence).

EPC Group designs and implements SharePoint audit programs for regulated industries including healthcare, financial services, and government. Contact us to assess your current audit posture.