-->
Easy-to-use SharePoint audit tool secures user access, helps demonstrate compliance, and supports incident response Help secure user access to SharePoint files and folders Quickly assess SharePoint account permissions to help find and resolve risks to security and compliance. Allows you to configure audit trail settings for multiple site collections. Allows you to purge the audit log automatically. Leverages existing SIEM/Log Management solutions. Tour of the Tool. Let’s conclude the blog post with a quick tour of the tool (please refer to the product documentation for a detailed overview, if interested).
Before starting this post, I would like to share an information about this facility in SharePoint. There was no way of deleting the audit log entries in SharePoint till the release of infrastructure update for SharePoint. Once you install this update, then you will get a STSADM command Trimauditlog and using this we can delete the unwanted audit logs.
I would recommend to refer this post if you want to implement a custom mechanism to delete the audit entries in your SharePoint site.
Consider, you have enabled Auditing in your SharePoint site, and there are more than 10,000 users and 3000 – 4000 users are accessing the site at the same time. Then your application will audit the information and it will store all the audit log information in the AuditData table in the content DB. If the data in that table exceeds some millions and if you access the audit report page then it may take some minuets to pull the data from the DB.
As a work-around we can remove the unwanted audit entries from the AuditData table. But direct interaction with the content DB is not supported L, so what we can do in this situation?
There you will get the help by using SharePoint object model J.
You can use SPAuditQuery & SPAuditEntryCollection classes which are there in the Microsoft.SharePoint.dll, to accomplish this requirement. Below code is a sample code for a .NET console based application, which will take a date as input and you can delete the audit log till that particular date.
I am taking a backup of already deleted audit log in a text file and it will save inside the bindebug directory.
<code>
using
System;
using
System.IO;
using
System.Text;
using
Microsoft.SharePoint;
using
System.Collections;
using
System.Collections.Generic;
namespace
DeleteAuditEntries
{
class Program
{
static void Main(string[] args)
{
Console.WriteLine('Example Deletion of Audit Entries');
Console.WriteLine('Enter a date below. In the root site collection, all audit entries created before the date entered will be deleted.');
SPSite site = new SPSite('http://localhost');
Console.Write('Enter Month: ');
int month = Convert.ToInt32(Console.ReadLine());
Console.Write('Enter Day: ');
int day = Convert.ToInt32(Console.ReadLine());
Console.Write('Enter Year: ');
int year = Convert.ToInt32(Console.ReadLine());
DateTime deleteBeforeDate = new DateTime(year, month, day);
//Let's query the log to get a report of all the entries we are deleting
SPAuditQuery newQuery = new SPAuditQuery(site);
newQuery.SetRangeEnd(deleteBeforeDate);
//This ensure we scope the query to just the logs about to be deleted
SPAuditEntryCollection report = site.Audit.GetEntries(newQuery);
TextWriter reportfile = new StreamWriter('auditreport.txt');
foreach (SPAuditEntry i in report)
{
reportfile.WriteLine(i.ToString());
}
reportfile.Close();
//This is the call that actually deletes the entries.
site.Audit.DeleteEntries(deleteBeforeDate);
Console.WriteLine('Complete. auditreport.txt contains a list of all audit entries that were deleted.');
return;
}
}
}
</code>
If you want to integrate this functionality in your SharePoint site, then you can create a custom aspx page you can implement this same functionality there. If you want to do that, then you can just go through the below MSDN link.
The above MSDN link is for creating a custom aspx for a different functionality with Auditing, but you can follow the steps in this article to create a user interface for deleting the auditing log entries and archiving the data in an another custom DB or in a text file.
1. Sample image 1
For E.g.: First you can create a custom action to your Site Actions to add a link to redirect the Administrator to the AuditData deletion page.
2. Sample image 2
After clicking that custom menu item, you can redirect the user to your custom aspx page which you need to keep in your Layouts folder.
Drive:Program FilesCommon FilesMicrosoft Sharedweb server extensions12TEMPLATELAYOUTS
-->Sharing is a key activity in SharePoint Online and OneDrive for Business, and it's widely used in Office 365 organizations. Administrators can use sharing auditing in the Office 365 audit log to determine how sharing is used in their organization.
The SharePoint Sharing schema
Sharing events (not including events related to sharing policy and sharing links) are different from file- and folder-related events in one primary way: one user is performing an action that has an effect on another user. For example, when a resource User A gives User B access to a file. In this example, User A is the acting user and User B is the target user. In the SharePoint File schema, the acting user's action only affects the file itself. When User A opens a file, the only information needed in the FileAccessed event is the acting user. To address this difference, there is a separate schema, called the SharePoint Sharing schema, that captures more information about sharing events. This ensures that administrators have visibility into who shared a resource and the user the resource was shared with.
The Sharing schema provides two additional fields in an audit record related to sharing events:
- TargetUserOrGroupType: Identifies whether the target user or group is a Member, Guest, SharePointGroup, SecurityGroup, or Partner.
- TargetUserOrGroupName: Stores the UPN or name of the target user or group that a resource was shared with (User B in the previous example).
These two fields, in addition to other properties from the Office 365 audit log schema such as User, Operation, and Date can tell the full story about which user shared what resource with whom and when.
There's another schema property that's important to the sharing story. When you export audit log search results, the AuditData column in the exported CSV file stores information about sharing events. For example, when a user shares a site with another user, this is accomplished by adding the target user to a SharePoint group. The AuditData column captures this information to provide context for administrators. See Step 2 for instructions on how to parse the information in the AuditData column.
SharePoint sharing events
Sharing is defined by when a user (the acting user) wants to share a resource with another user (the target user). Audit records related to sharing a resource with an external user (a user who is outside of your organization and doesn't have a guest account in your organization's Azure Active Directory) are identified by the following events, which are logged in the Office 365 audit log:
- SharingInvitationCreated: A user in your organization tried to share a resource (likely a site) with an external user. This results in an external sharing invitation sent to the target user. No access to the resource is granted at this point.
- SharingInvitationAccepted: The external user has accepted the sharing invitation sent by the acting user and now has access to the resource.
- AnonymousLinkCreated: An anonymous link (also called an 'Anyone' link) is created for a resource. Because an anonymous link can be created and then copied, it's reasonable to assume that any document that has an anonymous link has been shared with a target user.
- AnonymousLinkUsed: As the name implies, this event is logged when an anonymous link is used to access a resource.
- SecureLinkCreated: A user has created a 'specific people link' to share a resource with a specific person. This target user may be someone who is external to your organization. The person that the resource is shared with is identified in the audit record for the AddedToSecureLink event. The time stamps for these two events are nearly identical.
- AddedToSecureLink: A user was added to a specific people link. Use the TargetUserOrGroupName field in this event to identify the user added to the corresponding specific people link. This target user may be someone who is external to your organization.
Sharing auditing work flow
When a user (the acting user) wants to share a resource with another user (the target user), SharePoint (or OneDrive for Business) first checks if the email address of the target user is already associated with a user account in the organization's directory. If the target user is in the directory (and has a corresponding guest user account), SharePoint does the following things:
- Immediately assigns the target user permissions to access the resource by adding the target user to the appropriate SharePoint group, and logs an AddedToGroup event.
- Sends a sharing notification to the email address of the target user.
- Logs a SharingSet event. This event has a friendly name of 'Shared file, folder, or site' under Sharing and access request activities in the activities picker of the audit log search tool. See the screenshot in Step 1.
If a user account for the target user isn't in the directory, SharePoint does the following:
- Logs one of the following events, based on how the resource is shared:
- AnonymousLinkCreated
- SecureLinkCreated
- AddedToSecureLink
- SharingInvitationCreated (this event is logged only when the shared resource is a site)
- When the target user accepts the sharing invitation that's sent to them (by clicking the link in the invitation), SharePoint logs a SharingInvitationAccepted event and assigns the target user permissions to access the resource. If the target user is sent an anonymous link, the AnonymousLinkUsed event is logged after the target user uses the link to access the resource. For secure links, a FileAccessed event is logged when an external user uses the link to access the resource.
Additional information about the target user is also logged, such as the identity of the user the invitation is to and the user who accepts the invitation. In some case, these users (or email addresses) can be different.
How to identify resources shared with external users
A common requirement for administrators is creating a list of all resources that have been shared with users outside of the organization. By using sharing auditing in Office 365, administrators can generate this list. Here's how.
Step 1: Search for sharing events and export the results to a CSV file
The first step is to search the Office 365 audit log for sharing events. For more information (including the required permissions) about searching the audit log, see Search the audit log in the Security & Compliance Center.
- Go to https://protection.office.com.
- Sign in to Office 365 using your work or school account.
- In the left pane of the Security & Compliance Center, click Search > Audit log search.The Audit log search page is displayed.
- Under Activities, click Sharing and access request activities to search for sharing-related events.
- Select a date and time range to find the sharing events that occurred within that period.
- Click Search to run the search.
- When the search is finished running and the results are displayed, click Export results > Download all results.After you select the export option, a message at the bottom of the window prompts you to open or save the CSV file.
- Click Save > Save as and save the CSV file to a folder on your local computer.
Step 2: Use the PowerQuery Editor to format the exported audit log
The next step is to use the JSON transform feature in the Power Query Editor in Excel to split each property in the AuditData column (which consists of a multi-property JSON object) into its own column. This lets you filter columns to view records related to sharing
For step-by-step instructions, see 'Step 2: Format the exported audit log using the Power Query Editor' in Export, configure, and view audit log records.
Step 3: Filter the CSV file for resources shared with external users
The next step is to filter the CSV for the different sharing-related events that were previously described in the SharePoint sharing events section. Alternatively, you can filter the TargetUserOrGroupType column to display all records where the value of this property is Guest.
After you've followed the instructions in the previous step to prepare the CSV file by using the PowerQuery editor, do the following:
- Open the Excel file that you created in Step 2.
- On the Home tab, click Sort & Filter, and then click Filter.
- In the Sort & Filter dropdown list on the Operations column, clear all selections, then select one or more the following sharing-related events and then click Ok.
- SharingInvitationCreated
- AnonymousLinkCreated
- SecureLinkCreated
- AddedToSecureLink
Excel displays the rows for the events you selected. - Go to the column named TargetUserOrGroupType and select it.
- In the Sort & Filter dropdown list, clear all selections, then select TargetUserOrGroupType:Guest, and click Ok.Now Excel displays the rows for sharing events AND where the target user is outside of your organization, because external users are identified by the value TargetUserOrGroupType:Guest.
Tip
For the audit records that are displayed, the ObjectId column identifies the resource that was shared with the target user; for example
ObjectId:https://contoso-my.sharepoint.com/personal/sarad_contoso_com/Documents/Southwater Proposal.docx
.