Sharing links shows in audit logs as "GroupCreated"

Iron Contributor

I want to create a custom Alert Policy that notifies admins when a new 365 Group is created.  This seems like a simple task, but we are getting flooded with "Group Created" alerts every time a user shares a file from SharePoint.  It appears that behind the scenes, SharePoint is creating a system group of some sort to handle the access needed for the sharing link, and then the Audit Log detects this as "GroupAdded."  There must be a way to handle this.  What is the right way to create this alert policy without detecting every single shared link created?  


From the Audit Log, I can see that the end user is creating a "Limited Access System Group":

    "Name": "Name",
    "NewValue": "Limited Access System Group For Web *ID_REMOVED*"


This lines up exactly with an Alert generated by the alert policy that shows the user was creating a sharing link from SharePoint:

"NewValue": "SharingLinks.*ID_REMOVED*.OrganizationView.*ID_REMOVED*",
"Name": "Name"


0 Replies