SharePoint & OneDrive Audit Events

Cloud & SaaSData Access & StorageCloud Control Plane

Location

Microsoft Purview > Audit (filter by SharePoint/OneDrive workload)

Description

File-level audit events for SharePoint Online and OneDrive for Business including FileAccessed, FileDownloaded, FileUploaded, FileDeleted, SharingSet, SharingInvitationCreated, and AnonymousLinkCreated.

Forensic Value

These events are critical for data exfiltration investigations. Bulk FileDownloaded events from a single session, especially using sync client or API access, indicate mass data theft. SharingSet and AnonymousLinkCreated events reveal whether an attacker shared sensitive documents externally. Correlating ObjectId (file path) with the user and IP address reconstructs exactly which documents were exfiltrated and through which method.

Tools Required

Microsoft PurviewPowerShell (Search-UnifiedAuditLog -RecordType SharePointFileOperation)Hawk

Collection Commands

PowerShell

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType SharePointFileOperation -Operations FileDownloaded,FileUploaded -ResultSize 5000 | Export-Csv sp_file_ops.csv -NoTypeInformation

PowerShell

Search-UnifiedAuditLog -StartDate (Get-Date).AddDays(-30) -EndDate (Get-Date) -RecordType SharePointSharingOperation -ResultSize 5000 | Export-Csv sp_sharing_ops.csv -NoTypeInformation

Graph API

GET https://graph.microsoft.com/v1.0/sites/{site-id}/drive/root/delta?$select=name,lastModifiedBy,lastModifiedDateTime

MITRE ATT&CK Techniques

T1213.002T1530T1567T1039T1078.004

Acquisition Methods

FTK Imager Full Disk Image

windows — physical

EnCase Forensic Full Disk Image

windows — physical

dd / dc3dd Raw Disk Image

windows — physical

Guymager Full Disk Image

windows — physical

FTK Imager Logical Image (AD1)

windows — logical