SharePoint file operations M365-SharePointFileOperation

6 operations, identified by Operation in the audit log.

Operation	Description
_catch_all	Catch-all for M365-SharePointFileOperation rules matching the RecordType but no specific Operation.
FileAccessed	A user or application accessed (previewed or opened) a file in SharePoint Online or OneDrive without downloading it.
FileDownloaded	A file was downloaded from SharePoint Online or OneDrive to the user's local device.
FileMalwareDetected	SharePoint or OneDrive antivirus scanning detected malware in an uploaded or synced file.
FileUploaded	A file was uploaded to SharePoint Online or OneDrive.
SearchQueryPerformed	A user or system account performed a search in SharePoint or OneDrive (listed under SharePoint file and page activities).

_catch_all: SharePoint file operations (catch-all)

RecordType: M365-SharePointFileOperation

Description

Catch-all for M365-SharePointFileOperation rules matching the RecordType but no specific Operation.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ItemType`	The type of object accessed or modified (File, Folder, List, Site, ...).
`EventSource`	Identifies a SharePoint event: SharePoint or ObjectModel.
`SiteUrl`	URL of the site where the file or folder is located.
`SourceRelativeUrl`	URL of the folder containing the file; SiteUrl + SourceRelativeUrl + SourceFileName equals the full ObjectId path.
`SourceFileName`	Name of the file or folder accessed by the user.
`SourceFileExtension`	File extension of the accessed file (blank for folders).
`DestinationFileName`	Name of the file copied or moved (FileCopied / FileMoved events).
`UserSharedWith`	The user a resource was shared with (sharing operations).
`SharingType`	The permission level assigned to the user the resource was shared with.
`UserAgent`	Client or browser information reported by the client.
`MachineId`	Device information for device-sync operations (when present in the request).
`ApplicationId`	ID of the application performing the operation.
`ListId`	GUID of the SharePoint list (when applicable).

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

FileAccessed

RecordType: M365-SharePointFileOperation

Description

A user or application accessed (previewed or opened) a file in SharePoint Online or OneDrive without downloading it.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ItemType`	The type of object accessed or modified (File, Folder, List, Site, ...).
`EventSource`	Identifies a SharePoint event: SharePoint or ObjectModel.
`SiteUrl`	URL of the site where the file or folder is located.
`SourceRelativeUrl`	URL of the folder containing the file; SiteUrl + SourceRelativeUrl + SourceFileName equals the full ObjectId path.
`SourceFileName`	Name of the file or folder accessed by the user.
`SourceFileExtension`	File extension of the accessed file (blank for folders).
`DestinationFileName`	Name of the file copied or moved (FileCopied / FileMoved events).
`UserSharedWith`	The user a resource was shared with (sharing operations).
`SharingType`	The permission level assigned to the user the resource was shared with.
`UserAgent`	Client or browser information reported by the client.
`MachineId`	Device information for device-sync operations (when present in the request).
`ApplicationId`	ID of the application performing the operation.
`ListId`	GUID of the SharePoint list (when applicable).

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Operation`	eq	`FileUploaded`	1 rule	kusto
`Provider_Name`	in	`OneDrive`	1 rule	elastic
`Provider_Name`	in	`SharePoint`	1 rule	elastic
`RecordType`	eq	`SharePointFileOperation`	1 rule	kusto
`SubjectUserName`	eq	`anonymous`	1 rule	chronicle
`SubjectUserName`	regex_match	`^urn:spo:anon#`	1 rule	chronicle
`TimeDeleted`	gt	`TimeAdded`	1 rule	kusto
`m365::Workload`	eq	`MicrosoftTeams`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Elastic #

M365 SharePoint/OneDrive File Access via PowerShell source medium: Identifies file downloads or access from OneDrive or SharePoint using PowerShell-based user agents. Adversaries may use native PowerShell cmdlets like Invoke-WebRequest or Invoke-RestMethod with Microsoft Graph API to exfiltrate data after compromising OAuth tokens via device code phishing or other credential theft techniques. This rule detects both direct PowerShell access and PnP PowerShell module usage for file operations. FileAccessed events are included to detect adversaries reading file content via API and saving locally, bypassing traditional download methods. Normal users access SharePoint/OneDrive via browsers or sync clients, making PowerShell-based file access inherently suspicious.↳ also matches FileDownloaded

Kusto #

Accessed files shared by temporary external user source low: This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.↳ also matches FileUploaded

YARA-L #

O365 OneDrive Anonymous File Accessed source: Anonymous links can be used to export files from OneDrive. While this isn't always a sign of malicious activity, some organizations do not support the use of anonymous links because of the risk of data leakage. This rule detects when anonymous links are used to access files from OneDrive.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

FileDownloaded

RecordType: M365-SharePointFileOperation

Description

A file was downloaded from SharePoint Online or OneDrive to the user's local device.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ItemType`	The type of object accessed or modified (File, Folder, List, Site, ...).
`EventSource`	Identifies a SharePoint event: SharePoint or ObjectModel.
`SiteUrl`	URL of the site where the file or folder is located.
`SourceRelativeUrl`	URL of the folder containing the file; SiteUrl + SourceRelativeUrl + SourceFileName equals the full ObjectId path.
`SourceFileName`	Name of the file or folder accessed by the user.
`SourceFileExtension`	File extension of the accessed file (blank for folders).
`DestinationFileName`	Name of the file copied or moved (FileCopied / FileMoved events).
`UserSharedWith`	The user a resource was shared with (sharing operations).
`SharingType`	The permission level assigned to the user the resource was shared with.
`UserAgent`	Client or browser information reported by the client.
`MachineId`	Device information for device-sync operations (when present in the request).
`ApplicationId`	ID of the application performing the operation.
`ListId`	GUID of the SharePoint list (when applicable).

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Deviation`	gt	`25`	2 rules	kusto
`Operation`	in	`FileDownloaded`	2 rules	kusto
`Operation`	in	`FileUploaded`	2 rules	kusto
`RecordType`	eq	`SharePointFileOperation`	2 rules	kusto
`aws::userAgent`	is_not_null		2 rules	elastic, kusto
`EventType`	eq	`FileDownloaded`	1 rule	elastic, kusto
`Provider_Name`	eq	`OneDrive`	1 rule	elastic
`Provider_Name`	in	`OneDrive`	1 rule	elastic
`Provider_Name`	in	`SharePoint`	1 rule	elastic
`SubjectUserName`	eq	`anonymous`	1 rule	chronicle
`SubjectUserName`	regex_match	`^urn:spo:anon#`	1 rule	chronicle
`m365::ApplicationId`	is_not_null		1 rule	elastic
`m365::Workload`	eq	`SharePoint`	1 rule	kusto
`network.http.method`	eq	`GET`	1 rule	chronicle
`user.id`	is_not_null		1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

M365 OneDrive/SharePoint Excessive File Downloads source medium: Identifies when an excessive number of files are downloaded from OneDrive or SharePoint by an authorized user or application in a short period of time. This may indicate a potential data exfiltration event, especially if the downloads are performed using OAuth authentication which could suggest an OAuth phishing attack such as Device Code Authentication phishing.
M365 SharePoint/OneDrive File Access via PowerShell source medium: Identifies file downloads or access from OneDrive or SharePoint using PowerShell-based user agents. Adversaries may use native PowerShell cmdlets like Invoke-WebRequest or Invoke-RestMethod with Microsoft Graph API to exfiltrate data after compromising OAuth tokens via device code phishing or other credential theft techniques. This rule detects both direct PowerShell access and PnP PowerShell module usage for file operations. FileAccessed events are included to detect adversaries reading file content via API and saving locally, bypassing traditional download methods. Normal users access SharePoint/OneDrive via browsers or sync clients, making PowerShell-based file access inherently suspicious.↳ also matches FileAccessed

Kusto #

SharePointFileOperation via previously unseen IPs source medium: Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25.↳ also matches FileUploaded
SharePointFileOperation via devices with previously unseen user agents source medium: Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25).↳ also matches FileUploaded
Dataverse - Mass download from SharePoint document management source low: Identifies mass download (in the last hour) of files from SharePoint sites configured for document management in Dynamics 365. This analytics rule utilizes the MSBizApps-Configuration watchlist to identify SharePoint sites used for Document Management.

YARA-L #

Hunt for Non-Anonymous Office 365 file downloads source: Detects file downloads using O365 or Graph Activity logs, not including anonymous file links
O365 OneDrive Anonymous File Downloaded source: Anonymous links can be used to export files from OneDrive. While this isn't always a sign of malicious activity, some organizations do not support the use of anonymous links because of the risk of data leakage. This rule detects when anonymous links are used to download files from OneDrive.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

FileMalwareDetected

RecordType: M365-SharePointFileOperation

Description

SharePoint or OneDrive antivirus scanning detected malware in an uploaded or synced file.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ItemType`	The type of object accessed or modified (File, Folder, List, Site, ...).
`EventSource`	Identifies a SharePoint event: SharePoint or ObjectModel.
`SiteUrl`	URL of the site where the file or folder is located.
`SourceRelativeUrl`	URL of the folder containing the file; SiteUrl + SourceRelativeUrl + SourceFileName equals the full ObjectId path.
`SourceFileName`	Name of the file or folder accessed by the user.
`SourceFileExtension`	File extension of the accessed file (blank for folders).
`DestinationFileName`	Name of the file copied or moved (FileCopied / FileMoved events).
`UserSharedWith`	The user a resource was shared with (sharing operations).
`SharingType`	The permission level assigned to the user the resource was shared with.
`UserAgent`	Client or browser information reported by the client.
`MachineId`	Device information for device-sync operations (when present in the request).
`ApplicationId`	ID of the application performing the operation.
`ListId`	GUID of the SharePoint list (when applicable).

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`EventType`	eq	`FileMalwareDetected`	2 rules	elastic
`Provider_Name`	eq	`OneDrive`	1 rule	elastic
`Provider_Name`	eq	`SharePoint`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

M365 OneDrive Malware File Upload source high: Identifies the occurrence of files uploaded to OneDrive being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries an opportunity to gain initial access to other endpoints in the environment.
M365 SharePoint Malware File Detected source high: Identifies the occurrence of files uploaded to SharePoint being detected as Malware by the file scanning engine. Attackers can use File Sharing and Organization Repositories to spread laterally within the company and amplify their access. Users can inadvertently share these files without knowing their maliciousness, giving adversaries opportunities to gain initial access to other endpoints in the environment.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

FileUploaded

RecordType: M365-SharePointFileOperation

Description

A file was uploaded to SharePoint Online or OneDrive.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ItemType`	The type of object accessed or modified (File, Folder, List, Site, ...).
`EventSource`	Identifies a SharePoint event: SharePoint or ObjectModel.
`SiteUrl`	URL of the site where the file or folder is located.
`SourceRelativeUrl`	URL of the folder containing the file; SiteUrl + SourceRelativeUrl + SourceFileName equals the full ObjectId path.
`SourceFileName`	Name of the file or folder accessed by the user.
`SourceFileExtension`	File extension of the accessed file (blank for folders).
`DestinationFileName`	Name of the file copied or moved (FileCopied / FileMoved events).
`UserSharedWith`	The user a resource was shared with (sharing operations).
`SharingType`	The permission level assigned to the user the resource was shared with.
`UserAgent`	Client or browser information reported by the client.
`MachineId`	Device information for device-sync operations (when present in the request).
`ApplicationId`	ID of the application performing the operation.
`ListId`	GUID of the SharePoint list (when applicable).

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Operation`	eq	`FileUploaded`	3 rules	kusto
`Operation`	in	`FileDownloaded`	2 rules	kusto
`Operation`	in	`FileUploaded`	2 rules	kusto
`RecordType`	eq	`SharePointFileOperation`	3 rules	kusto
`Deviation`	gt	`25`	2 rules	kusto
`aws::userAgent`	is_not_null		2 rules	elastic, kusto
`TimeDeleted`	gt	`TimeAdded`	1 rule	kusto
`m365::Workload`	eq	`MicrosoftTeams`	1 rule	kusto
`m365::Workload`	eq	`SharePoint`	1 rule	kusto

Detection Rules #

View all rules referencing this event →

Kusto #

New executable via Office FileUploaded Operation source low: Identifies when executable file types are uploaded to Office services such as SharePoint and OneDrive. List currently includes 'exe', 'inf', 'gzip', 'cmd', 'bat' file extensions. Additionally, identifies when a given user is uploading these files to another users workspace. This may be indication of a staging location for malware or other malicious activity.
Dataverse - Executable uploaded to SharePoint document management site source low: Identifies executable files and scripts uploaded to SharePoint sites used for Dynamics document management, circumventing native file extension restrictions in Dataverse.
Accessed files shared by temporary external user source low: This detection identifies when an external user is added to a Team or Teams chat and shares a file which is accessed by many users (>10) and the users is removed within short period of time. This might be an indicator of suspicious activity.↳ also matches FileAccessed

Show 2 more (5 total)

SharePointFileOperation via previously unseen IPs source medium: Identifies anomalies using user behavior by setting a threshold for significant changes in file upload/download activities from new IP addresses. It establishes a baseline of typical behavior, compares it to recent activity, and flags deviations exceeding a default threshold of 25.↳ also matches FileDownloaded
SharePointFileOperation via devices with previously unseen user agents source medium: Identifies anomalies if the number of documents uploaded or downloaded from device(s) associated with a previously unseen user agent exceeds a threshold (default is 5) and deviation (default is 25).↳ also matches FileDownloaded

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

SearchQueryPerformed

RecordType: M365-SharePointFileOperation

Description

A user or system account performed a search in SharePoint or OneDrive (listed under SharePoint file and page activities).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ItemType`	The type of object accessed or modified (File, Folder, List, Site, ...).
`EventSource`	Identifies a SharePoint event: SharePoint or ObjectModel.
`SiteUrl`	URL of the site where the file or folder is located.
`SourceRelativeUrl`	URL of the folder containing the file; SiteUrl + SourceRelativeUrl + SourceFileName equals the full ObjectId path.
`SourceFileName`	Name of the file or folder accessed by the user.
`SourceFileExtension`	File extension of the accessed file (blank for folders).
`DestinationFileName`	Name of the file copied or moved (FileCopied / FileMoved events).
`UserSharedWith`	The user a resource was shared with (sharing operations).
`SharingType`	The permission level assigned to the user the resource was shared with.
`UserAgent`	Client or browser information reported by the client.
`MachineId`	Device information for device-sync operations (when present in the request).
`ApplicationId`	ID of the application performing the operation.
`ListId`	GUID of the SharePoint list (when applicable).

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`Provider_Name`	eq	`SharePoint`	1 rule	elastic

Detection Rules #

View all rules referencing this event →

Elastic #

M365 SharePoint Search for Sensitive Content source low: Identifies search queries in SharePoint containing sensitive terms related to credentials, financial data, PII, legal matters, or infrastructure information. Adversaries who compromise user accounts often search for high-value files before exfiltration. This rule detects searches containing terms across multiple sensitivity categories, regardless of the access method (browser, PowerShell, or API). The actual search query text is analyzed against a curated list of sensitive terms to identify potential reconnaissance activity.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)