How to Collect SharePoint Audit Logs | Office 365 Management API

Step-by-step guide to ingesting SharePoint Online and OneDrive audit logs using the Office 365 Management Activity API. Monitor file access, sharing events, and site operations.

  3 minute read  

Overview

SharePoint and OneDrive audit logs capture file operations, sharing activities, and site management actions in your Microsoft 365 environment. Use this guide to monitor document access, track file sharing, detect data exfiltration, and maintain compliance records for file operations.

Common Use Cases:

  • Track file access, downloads, and modifications
  • Monitor external and internal sharing activities
  • Detect potential data exfiltration (bulk downloads)
  • Audit site permission changes
  • Maintain compliance records for document access

Prerequisites

Before configuring Edge Delta, complete the Office 365 Management API setup:

  1. Enable unified audit logging in Microsoft Purview compliance portal
  2. Register an Azure AD application with Office 365 Management APIs permissions
  3. Grant the ActivityFeed.Read permission and obtain admin consent
  4. Start the Audit.SharePoint subscription (one-time setup)

For detailed setup instructions, see Office 365 Management API Integration.

Start SharePoint Subscription

Run this command once to enable SharePoint audit log collection:

# Get OAuth token
TOKEN=$(curl -X POST "https://login.microsoftonline.com/{TENANT_ID}/oauth2/v2.0/token" \
  -d "client_id={CLIENT_ID}&client_secret={CLIENT_SECRET}&scope=https://manage.office.com/.default&grant_type=client_credentials" \
  | jq -r '.access_token')

# Start SharePoint subscription
curl -X POST "https://manage.office.com/api/v1.0/{TENANT_ID}/activity/feed/subscriptions/start?contentType=Audit.SharePoint&PublisherIdentifier={TENANT_ID}" \
  -H "Authorization: Bearer ${TOKEN}"

Configuration

Basic SharePoint Audit Collection

nodes:
- name: sharepoint_audit_logs
  type: http_pull_input
  endpoint: https://manage.office.com/api/v1.0/YOUR_TENANT_ID/activity/feed/subscriptions/content
  method: GET
  pull_interval: 5m

  authorization:
    strategy: oauth_client_credentials
    client_credentials:
      token_url: https://login.microsoftonline.com/YOUR_TENANT_ID/oauth2/v2.0/token
      client_id: YOUR_CLIENT_ID
      client_secret: YOUR_CLIENT_SECRET
      scopes:
        - https://manage.office.com/.default
      header_templates:
        - header: Authorization
          value: Bearer $ACCESS_TOKEN

  parameters:
    - name: contentType
      value: Audit.SharePoint
    - name: PublisherIdentifier
      value: YOUR_TENANT_ID

  parameter_expressions:
    - name: startTime
      value_expression: FormatTime(Now() - Duration("6m"), "%Y-%m-%dT%H:%M:%SZ")
    - name: endTime
      value_expression: FormatTime(Now() - Duration("1m"), "%Y-%m-%dT%H:%M:%SZ")

  pagination:
    url_json_path: contentUri
    response_format: json
    max_parallel: 3
    inherit_auth: true
    error_strategy: continue

SharePoint Audit Operations

File Operations

OperationDescription
FileAccessedFile opened or viewed
FileDownloadedFile downloaded to local device
FileUploadedFile uploaded to SharePoint/OneDrive
FileModifiedFile content changed
FileDeletedFile deleted
FileRestoredFile restored from recycle bin
FileMovedFile moved to new location
FileCopiedFile copied
FileRenamedFile renamed

Sharing Operations

OperationDescription
SharingSetSharing permissions configured
SharingInvitationCreatedSharing invitation sent
SharingInvitationAcceptedSharing invitation accepted
AnonymousLinkCreatedAnyone link created
CompanyLinkCreatedOrganization-wide link created
SharingRevokedSharing permissions removed

Site Operations

OperationDescription
SiteCollectionCreatedNew site collection created
SiteDeletedSite deleted
GroupAddedGroup added to site
PermissionLevelAddedPermission level created

Sample SharePoint Audit Log

{
  "CreationTime": "2024-01-01T10:05:00",
  "Id": "sharepoint-audit-guid",
  "Operation": "FileDownloaded",
  "OrganizationId": "org-guid",
  "RecordType": 6,
  "UserType": 0,
  "Workload": "SharePoint",
  "UserId": "user@company.com",
  "ClientIP": "192.168.1.100",
  "ObjectId": "https://company.sharepoint.com/sites/team/Documents/confidential-report.docx",
  "SourceFileName": "confidential-report.docx",
  "SourceFileExtension": "docx",
  "SourceRelativeUrl": "sites/team/Documents",
  "SiteUrl": "https://company.sharepoint.com/sites/team",
  "ItemType": "File",
  "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) Chrome/120.0.0.0",
  "Platform": "Windows 10"
}

Key Fields for Analysis

FieldDescriptionUse Case
OperationAction performedIdentify activity type
UserIdWho performed the actionAttribute activity to user
ObjectIdFull path to fileIdentify target document
SourceFileNameFile nameQuick file identification
SiteUrlSharePoint siteIdentify site context
ClientIPSource IP addressDetect anomalous access
ItemTypeFile, Folder, Site, etc.Filter by item type

High-Value Operations to Monitor

OperationRisk LevelDescription
AnonymousLinkCreatedHighPublic sharing link created
FileDownloaded (bulk)HighPotential data exfiltration
SharingSet (external)MediumExternal sharing enabled
FileDeleted (sensitive)MediumSensitive file deletion
PermissionLevelAddedMediumPermission escalation

Detecting Bulk Downloads

Monitor for potential data exfiltration by tracking multiple downloads:

# Use downstream processing to detect:
# - Same user downloading many files in short period
# - Downloads from unusual IP addresses
# - Downloads outside business hours

Key fields to aggregate:

  • UserId + Operation: FileDownloaded
  • Count per 15-minute window
  • Alert if count exceeds threshold (e.g., 50 files)

Troubleshooting

IssueSolution
Empty resultsVerify Audit.SharePoint subscription is started
401 UnauthorizedCheck client credentials and tenant ID
403 ForbiddenEnsure ActivityFeed.Read permission has admin consent
OneDrive missingOneDrive events are included in Audit.SharePoint