Forum Discussion
Eric_H
Mar 24, 2021Iron Contributor
Sharing links shows in audit logs as "GroupCreated"
I want to create a custom Alert Policy that notifies admins when a new 365 Group is created. This seems like a simple task, but we are getting flooded with "Group Created" alerts every time a user shares a file from SharePoint. It appears that behind the scenes, SharePoint is creating a system group of some sort to handle the access needed for the sharing link, and then the Audit Log detects this as "GroupAdded." There must be a way to handle this. What is the right way to create this alert policy without detecting every single shared link created?
From the Audit Log, I can see that the end user is creating a "Limited Access System Group":
{ "Name": "Name", "NewValue": "Limited Access System Group For Web *ID_REMOVED*"
This lines up exactly with an Alert generated by the alert policy that shows the user was creating a sharing link from SharePoint:
{
"NewValue": "SharingLinks.*ID_REMOVED*.OrganizationView.*ID_REMOVED*",
"Name": "Name"
}
No RepliesBe the first to reply