Sharing links shows in audit logs as "GroupCreated"

%3CLINGO-SUB%20id%3D%22lingo-sub-2232726%22%20slang%3D%22en-US%22%3ESharing%20links%20shows%20in%20audit%20logs%20as%20%22GroupCreated%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2232726%22%20slang%3D%22en-US%22%3E%3CP%3EI%20want%20to%20create%20a%20custom%20Alert%20Policy%20that%20notifies%20admins%20when%20a%20new%20365%20Group%20is%20created.%26nbsp%3B%20This%20seems%20like%20a%20simple%20task%2C%20but%20we%20are%20getting%20flooded%20with%20%22Group%20Created%22%20alerts%20every%20time%20a%20user%20shares%20a%20file%20from%20SharePoint.%26nbsp%3B%20It%20appears%20that%20behind%20the%20scenes%2C%20SharePoint%20is%20creating%20a%20system%20group%20of%20some%20sort%20to%20handle%20the%20access%20needed%20for%20the%20sharing%20link%2C%20and%20then%20the%20Audit%20Log%20detects%20this%20as%20%22GroupAdded.%22%26nbsp%3B%20There%20must%20be%20a%20way%20to%20handle%20this.%26nbsp%3B%20What%20is%20the%20right%20way%20to%20create%20this%20alert%20policy%20without%20detecting%20every%20single%20shared%20link%20created%3F%26nbsp%3B%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EFrom%20the%20Audit%20Log%2C%20I%20can%20see%20that%20the%20end%20user%20is%20creating%20a%20%22Limited%20Access%20System%20Group%22%3A%3C%2FP%3E%3CPRE%3E%7B%0A%20%20%20%20%22Name%22%3A%20%22Name%22%2C%0A%20%20%20%20%22NewValue%22%3A%20%22Limited%20Access%20System%20Group%20For%20Web%20*ID_REMOVED*%22%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20lines%20up%20exactly%20with%20an%20Alert%20generated%20by%20the%20alert%20policy%20that%20shows%20the%20user%20was%20creating%20a%20sharing%20link%20from%20SharePoint%3A%3C%2FP%3E%3CPRE%3E%7B%3CBR%20%2F%3E%22NewValue%22%3A%20%22SharingLinks.*ID_REMOVED*.OrganizationView.*ID_REMOVED*%22%2C%3CBR%20%2F%3E%22Name%22%3A%20%22Name%22%3CBR%20%2F%3E%7D%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Frequent Contributor

I want to create a custom Alert Policy that notifies admins when a new 365 Group is created.  This seems like a simple task, but we are getting flooded with "Group Created" alerts every time a user shares a file from SharePoint.  It appears that behind the scenes, SharePoint is creating a system group of some sort to handle the access needed for the sharing link, and then the Audit Log detects this as "GroupAdded."  There must be a way to handle this.  What is the right way to create this alert policy without detecting every single shared link created?  

 

From the Audit Log, I can see that the end user is creating a "Limited Access System Group":

{
    "Name": "Name",
    "NewValue": "Limited Access System Group For Web *ID_REMOVED*"

 

This lines up exactly with an Alert generated by the alert policy that shows the user was creating a sharing link from SharePoint:

{
"NewValue": "SharingLinks.*ID_REMOVED*.OrganizationView.*ID_REMOVED*",
"Name": "Name"
}

 

0 Replies