SharePoint Online activities not logged in CAS

%3CLINGO-SUB%20id%3D%22lingo-sub-156940%22%20slang%3D%22en-US%22%3ESharePoint%20Online%20activities%20not%20logged%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-156940%22%20slang%3D%22en-US%22%3E%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3EHello%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3EFor%20a%20collaboration%20solution%20with%20strict%20site%20governance%20based%20on%20SharePoint%20Online%2C%20we%20were%20planning%20to%20leverage%20CAS%20to%20notify%20the%20operations%20team%20when%20a%20site%20owner%20changes%20the%20access%20request%20settings%20of%20his%20site.%20There%20are%20two%20activities%20related%20to%20these%20access%20request%20settings%3A%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3EWebMembersCanShareModified%20and%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3EWebRequestAccessModified.%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3EWe've%20noticed%2C%20however%2C%20that%20neither%20of%20them%20appears%20in%20the%20Activity%20log%20of%20CAS%2C%20although%20both%20can%20be%20found%20in%20the%20audit%20logs%20of%20the%20Security%20and%20Compliance%20center.%20What's%20even%20more%20confusing%20is%20that%20the%20Activity%20Type%20field%20of%20CAS%20contains%20both%20activities%20and%20allows%20filtering%20and%20defining%20policies%20based%20on%20them%2C%20whereas%20the%20audit%20logs%20of%20the%20Security%20and%20Compliance%20Center%20do%20not%20allow%20alert%20definition%20based%20on%20these%20two.%26nbsp%3B%20This%20seems%20particularly%20odd.%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3EIs%20it%20true%20that%20not%20all%20SharePoint%20activities%20appears%20in%20CAS%20and%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3Ecan%20we%20expect%20a%20solution%20in%20order%20to%20be%20able%20to%20detect%20the%20modification%20of%20the%20access%20request%20settings%20and%20send%20out%20an%20alert%3F%20%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3E%26nbsp%3B%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3EThanks%20a%20lot.%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%20style%3D%22margin%3A%200cm%200cm%200pt%3B%22%3E%3CFONT%20color%3D%22%23000000%22%20face%3D%22Times%20New%20Roman%22%3EJohn%3C%2FFONT%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-156940%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECloud%20App%20Security%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharePoint%20Online%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-194391%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20activities%20not%20logged%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-194391%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F146681%22%20target%3D%22_blank%22%3E%40Eran%20Chencinski%3C%2FA%3Ethat%20is%20good%20news%2C%20when%20you%20do%20that%2C%20could%20you%20please%20make%20sure%20to%20use%20the%20attributes%20from%20Azure%20AD%2C%20instead%20of%20from%20the%20unified%20audit%20log%20in%20O365.%20I%20have%20noticed%20differences%2C%20and%20the%20AAD%20log%20is%20more%20helpful.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-194389%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20activities%20not%20logged%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-194389%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20John%2C%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENew%26nbsp%3BSharePoint%20Online%20activities%20were%20recently%20added%20to%20CAS.%20They%26nbsp%3Binclude%20the%20activities%20you%20mentioned%2C%20so%20you%20can%20now%20create%20policies%20and%20alerts%20on%20those%20activities.%3C%2FP%3E%0A%3CP%3EIn%20general%2C%20the%20goal%20is%20to%20add%20all%20SharePoint%20Online%20activities%20to%20CAS.%20It%20might%20take%20some%20time%20to%20add%20new%26nbsp%3Bactivities%2C%20but%20they%20will%20be%20added.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EEran%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-191868%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20activities%20not%20logged%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-191868%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%40Deleted%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20seeing%20the%20same%20thing%20not%20only%20for%20SharePoint%20Online%20but%20also%20for%20other%20things%20like%20Sway%20or%20device%2Fnetwork%20access%20policy.%20I%20was%20hoping%20to%20find%20an%20overview%20of%20all%20the%20Audit%20log%20features%20compared%20to%20(M)CAS.%20I%20found%20one%20for%20the%20Audit%20log%20but%20not%20for%20CAS.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FSearch-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c%23PickTab%3DActivities%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.office.com%2Fen-us%2Farticle%2FSearch-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c%23PickTab%3DActivities%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20someone%20has%20an%20answer%20for%20this.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-167338%22%20slang%3D%22en-US%22%3ERe%3A%20SharePoint%20Online%20activities%20not%20logged%20in%20CAS%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-167338%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F37951%22%20target%3D%22_blank%22%3E%40Niv%20Goldenberg%3C%2FA%3E%26nbsp%3Bcan%20you%20provide%20any%20insight%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hello

 

For a collaboration solution with strict site governance based on SharePoint Online, we were planning to leverage CAS to notify the operations team when a site owner changes the access request settings of his site. There are two activities related to these access request settings:

WebMembersCanShareModified and

WebRequestAccessModified.

 

We've noticed, however, that neither of them appears in the Activity log of CAS, although both can be found in the audit logs of the Security and Compliance center. What's even more confusing is that the Activity Type field of CAS contains both activities and allows filtering and defining policies based on them, whereas the audit logs of the Security and Compliance Center do not allow alert definition based on these two.  This seems particularly odd.

 

Is it true that not all SharePoint activities appears in CAS and

can we expect a solution in order to be able to detect the modification of the access request settings and send out an alert?

 

Thanks a lot.

John

4 Replies

@Niv Goldenberg can you provide any insight?

Hi @Deleted,

 

I'm seeing the same thing not only for SharePoint Online but also for other things like Sway or device/network access policy. I was hoping to find an overview of all the Audit log features compared to (M)CAS. I found one for the Audit log but not for CAS.

 

https://support.office.com/en-us/article/Search-the-audit-log-in-the-Office-365-Security-Compliance-Center-0d4d0f35-390b-4518-800e-0c7ec95e946c#PickTab=Activities

 

Hope someone has an answer for this.

Hi John,

 

New SharePoint Online activities were recently added to CAS. They include the activities you mentioned, so you can now create policies and alerts on those activities.

In general, the goal is to add all SharePoint Online activities to CAS. It might take some time to add new activities, but they will be added.

 

Eran

@Eran Chencinskithat is good news, when you do that, could you please make sure to use the attributes from Azure AD, instead of from the unified audit log in O365. I have noticed differences, and the AAD log is more helpful.