SharePoint & OneDrive Audit Events

m365-azureData Access & StorageCloud Admin Portal

Location

Microsoft Purview > Audit (filter by SharePoint/OneDrive workload)

Description

File-level audit events for SharePoint Online and OneDrive for Business including FileAccessed, FileDownloaded, FileUploaded, FileDeleted, SharingSet, SharingInvitationCreated, and AnonymousLinkCreated.

Forensic Value

These events are critical for data exfiltration investigations. Bulk FileDownloaded events from a single session, especially using sync client or API access, indicate mass data theft. SharingSet and AnonymousLinkCreated events reveal whether an attacker shared sensitive documents externally. Correlating ObjectId (file path) with the user and IP address reconstructs exactly which documents were exfiltrated and through which method.

Tools Required

Microsoft PurviewPowerShell (Search-UnifiedAuditLog -RecordType SharePointFileOperation)Hawk

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical