Forum Discussion
SharePoint Online Forensics
Hello all,
we have a situation where someone put a file out in a shared space and someone accessed it that was not supposed to. How are we as O365 Admins supposed to tell when that document was accessed.
Our security manager does not trust Microsoft Graph as it is always showing incorrect information on his account (meaning on the SharePoint page controlled by graph, shows in his frequent sites, sites he has not visited)
So how as security stewards can we get forensics information about libraries, documents etc. My underdtanding is we do not have access to the SharePoint logs.
Thank you for your help on this
Doug
3 Replies
You should be able to view the audit logs via https://protection.office.com/#/unifiedauditlog and search for the file in question.
As a side note I do knwo about and understand "Audit Logs" in SharePoint online - however I am seeing that they were not turned on. So is there a way to retroactively see when someone accessed a document?
- As you say, best option you have is through audit logs and If those were not enabled is going to get difficult to get what you are looking for...only opportunity I se is to dig into the SPO Change log, but you will need a developer to help you on programatically access the SPO Change log
