Forum Discussion

sdedic's avatar
sdedic
Copper Contributor
Nov 13, 2022

Send Alert When File in SharePoint is Being Accessed

Hi all,   Is there a way to get the list of files which users are accessing or trying to access if they don't have permission inside a specific SharePoint site? And in addition to that is there a w...
alerts
automation
investigation
KQL
kusto
Log Data
solutions
Clive_Watson's avatar
Clive_Watson
Bronze Contributor
Nov 14, 2022

sdedic 

You can also look in the SIgninLogs, there are a few similar use cases in the Github: Azure-Sentinel/SuccessThenFail_SameUserDiffApp.yaml at 8f1a743d443059178fa30f3e779ea71940c5757f ยท Azure/Azure-Sentinel (github.com)

Or a simple example you can look at?

// failures
SigninLogs
| where ResultType !="0"
| where AppDisplayName in ("Office 365 SharePoint Online")
| project FailedLogonTime = TimeGenerated, UserId =UserPrincipalName, IPAddress , FailedAppDisplayName = AppDisplayName, ResultType, ResultDescription
| join 
(
    OfficeActivity
    | where OfficeWorkload in ("OneDrive", "SharePoint") and Operation in ("FileDownloaded", "FileAccessed")
    | summarize AccessedFilesCount = dcount(OfficeObjectId) by UserId, _ResourceId
    | sort by AccessedFilesCount desc nulls last
) on UserId

 If nothing else, you'd see other errors inc. Conditional Access ones (as mentioned in the other reply)

 

Resources