SharePoint and OneDrive sharing operations M365-SharePointSharingOperation

4 operations, identified by Operation in the audit log.

Operation	Description
_catch_all	Catch-all for M365-SharePointSharingOperation rules matching the RecordType but no specific Operation.
AnonymousLinkCreated	An anonymous (anyone-with-the-link) sharing link was created for a file or folder, exposing it without authentication.
AnonymousLinkUpdated	An existing anonymous sharing link was modified (e.g. permission level changed).
AnonymousLinkUsed	An anonymous sharing link was used to access a file or folder, indicating external/unauthenticated access.

_catch_all: SharePoint and OneDrive sharing operations (catch-all)

RecordType: M365-SharePointSharingOperation

Description

Catch-all for M365-SharePointSharingOperation rules matching the RecordType but no specific Operation.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ItemType`	The type of object accessed or modified (File, Folder, List, Site, ...).
`EventSource`	Identifies a SharePoint event: SharePoint or ObjectModel.
`SiteUrl`	URL of the site where the file or folder is located.
`SourceRelativeUrl`	URL of the folder containing the file; SiteUrl + SourceRelativeUrl + SourceFileName equals the full ObjectId path.
`SourceFileName`	Name of the file or folder accessed by the user.
`SourceFileExtension`	File extension of the accessed file (blank for folders).
`DestinationFileName`	Name of the file copied or moved (FileCopied / FileMoved events).
`UserSharedWith`	The user a resource was shared with (sharing operations).
`SharingType`	The permission level assigned to the user the resource was shared with.
`UserAgent`	Client or browser information reported by the client.
`MachineId`	Device information for device-sync operations (when present in the request).
`ApplicationId`	ID of the application performing the operation.
`ListId`	GUID of the SharePoint list (when applicable).

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

AnonymousLinkCreated

RecordType: M365-SharePointSharingOperation

Description

An anonymous (anyone-with-the-link) sharing link was created for a file or folder, exposing it without authentication.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ItemType`	The type of object accessed or modified (File, Folder, List, Site, ...).
`EventSource`	Identifies a SharePoint event: SharePoint or ObjectModel.
`SiteUrl`	URL of the site where the file or folder is located.
`SourceRelativeUrl`	URL of the folder containing the file; SiteUrl + SourceRelativeUrl + SourceFileName equals the full ObjectId path.
`SourceFileName`	Name of the file or folder accessed by the user.
`SourceFileExtension`	File extension of the accessed file (blank for folders).
`DestinationFileName`	Name of the file copied or moved (FileCopied / FileMoved events).
`UserSharedWith`	The user a resource was shared with (sharing operations).
`SharingType`	The permission level assigned to the user the resource was shared with.
`UserAgent`	Client or browser information reported by the client.
`MachineId`	Device information for device-sync operations (when present in the request).
`ApplicationId`	ID of the application performing the operation.
`ListId`	GUID of the SharePoint list (when applicable).

Detection Rules #

View all rules referencing this event →

YARA-L #

O365 OneDrive Anonymous Link Created or Updated source: Anonymous links can be used to export files from OneDrive. While this isn't always a sign of malicious activity, some organizations do not support the creation of anonymous links because of the risk of data leakage. This rule detects the creation or modification of anonymous links in OneDrive.↳ also matches AnonymousLinkUpdated

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

AnonymousLinkUpdated

RecordType: M365-SharePointSharingOperation

Description

An existing anonymous sharing link was modified (e.g. permission level changed).

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ItemType`	The type of object accessed or modified (File, Folder, List, Site, ...).
`EventSource`	Identifies a SharePoint event: SharePoint or ObjectModel.
`SiteUrl`	URL of the site where the file or folder is located.
`SourceRelativeUrl`	URL of the folder containing the file; SiteUrl + SourceRelativeUrl + SourceFileName equals the full ObjectId path.
`SourceFileName`	Name of the file or folder accessed by the user.
`SourceFileExtension`	File extension of the accessed file (blank for folders).
`DestinationFileName`	Name of the file copied or moved (FileCopied / FileMoved events).
`UserSharedWith`	The user a resource was shared with (sharing operations).
`SharingType`	The permission level assigned to the user the resource was shared with.
`UserAgent`	Client or browser information reported by the client.
`MachineId`	Device information for device-sync operations (when present in the request).
`ApplicationId`	ID of the application performing the operation.
`ListId`	GUID of the SharePoint list (when applicable).

Detection Rules #

View all rules referencing this event →

YARA-L #

O365 OneDrive Anonymous Link Created or Updated source: Anonymous links can be used to export files from OneDrive. While this isn't always a sign of malicious activity, some organizations do not support the creation of anonymous links because of the risk of data leakage. This rule detects the creation or modification of anonymous links in OneDrive.↳ also matches AnonymousLinkCreated

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

AnonymousLinkUsed

RecordType: M365-SharePointSharingOperation

Description

An anonymous sharing link was used to access a file or folder, indicating external/unauthenticated access.

Fields #

Name	Description
`RecordType`	AuditLogRecordType enum value (named string in Sentinel OfficeActivity; integer in the raw Management Activity API JSON).
`Operation`	The name of the user or admin activity. For Exchange admin activity this is the cmdlet name; for DLP it is DlpRuleMatch/DlpRuleUndo/DlpInfo. The per-event discriminator (event.action in Elastic ECS).
`Workload`	The Microsoft 365 service where the activity occurred (Exchange, SharePoint, AzureActiveDirectory, MicrosoftTeams, ...). Surfaces as event.provider in Elastic ECS.
`ResultStatus`	Whether the action succeeded: Succeeded, PartiallySucceeded, or Failed (True/False for Exchange admin). For STS-logon events this reflects only the HTTP operation, not logon success: check LogonError.
`UserId`	UPN of the user who performed the action; system-account and app@sharepoint values also appear.
`UserType`	Type of actor: Regular, Admin, System, DcAdmin, Application, ServicePrincipal.
`UserKey`	Alternative ID for the user (the PUID for SharePoint / OneDrive / Exchange events).
`ClientIP`	IPv4/IPv6 address of the device used; may be a trusted-app IP, and is null for Microsoft Entra ID events.
`ObjectId`	For SharePoint/OneDrive, the full path of the file/folder; for Exchange admin, the object modified by the cmdlet; shape is operation-specific.
`OrganizationId`	GUID of the tenant's Office 365 organization (constant per tenant).
`Id`	Unique identifier (GUID) for the audit record.
`CreationTime`	UTC date/time when the audit record was generated.
`Scope`	Source of the event: online (a Microsoft 365 service) or onprem (an on-premises service; currently SharePoint only).
`AppAccessContext`	Application context for the user or service principal that performed the action.
`ItemType`	The type of object accessed or modified (File, Folder, List, Site, ...).
`EventSource`	Identifies a SharePoint event: SharePoint or ObjectModel.
`SiteUrl`	URL of the site where the file or folder is located.
`SourceRelativeUrl`	URL of the folder containing the file; SiteUrl + SourceRelativeUrl + SourceFileName equals the full ObjectId path.
`SourceFileName`	Name of the file or folder accessed by the user.
`SourceFileExtension`	File extension of the accessed file (blank for folders).
`DestinationFileName`	Name of the file copied or moved (FileCopied / FileMoved events).
`UserSharedWith`	The user a resource was shared with (sharing operations).
`SharingType`	The permission level assigned to the user the resource was shared with.
`UserAgent`	Client or browser information reported by the client.
`MachineId`	Device information for device-sync operations (when present in the request).
`ApplicationId`	ID of the application performing the operation.
`ListId`	GUID of the SharePoint list (when applicable).

Common Indicators #

Field/value combinations most frequently checked by detection rules targeting this event, derived from cross-vendor predicate analysis.

Field	Kind	Value	Rules	Vendors
`SubjectUserName`	eq	`anonymous`	1 rule	chronicle

Detection Rules #

View all rules referencing this event →

YARA-L #

O365 OneDrive Anonymous Link Accessed source: Anonymous links can be used to access files from OneDrive. While this isn't always a sign of malicious activity, some organizations do not support the use of anonymous links because of the risk of data leakage. This rule detects when anonymous links are used to access files from OneDrive.

References #

Office 365 Management Activity API schema (AuditLogRecordType enum) https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema
Microsoft Purview audit log activities reference https://learn.microsoft.com/en-us/purview/audit-log-activities

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

SharePoint and OneDrive sharing operations M365-SharePointSharingOperation

_catch_all: SharePoint and OneDrive sharing operations (catch-all)

Description

Fields #

References #

AnonymousLinkCreated

Description

Fields #

Detection Rules #

YARA-L #

References #

AnonymousLinkUpdated

Description

Fields #

Detection Rules #

YARA-L #

References #

AnonymousLinkUsed

Description

Fields #

Common Indicators #

Detection Rules #

YARA-L #

References #

Keyboard shortcuts

Search operators