"Used secure link" O365 audit log activity

Occasional Contributor

I have an O365 audit logging requirement from our business where they want to know if a link to a file that was shared in either OneDrive for Business or SharePoint Online was actually opened by the recipient.

 

In reviewing the following two articles:

 

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c...

 

https://docs.microsoft.com/en-us/office365/securitycompliance/search-the-audit-log-in-security-and-c...

 

...the second article mentions two logging activities called "Used a company shareable link” and “Used secure link”.

 

Does anyone know what data is included in those logged activities?  In other words, would I be able to tell from the logged activity 1)  Who the user was that used the link, 2)  What link they used, 3)  The name of the file they opened?  (I'm guessing that #3 can be figured out from examining the link in #2?)

 

Any feedback here would be appreciated.  Thank you! 

7 Replies

I'm not sure if this is already rolled out, but there will be email notifications upon opening the document for a first time, so that's one way to audit it. If the file was shared with an internal user, or external user with AAD account, you should still see the relevant "accessed file" entries in the Audit log.

@Vasil Michev, correct....From everything I read, the two action registrations in the audit log that were in my original post will be triggered when a recipient uses a link.  But I can't get from the Microsoft documentation what level of data goes along with these events in the log.  So I would need to know that one of those two "link used" actions was triggered, but also who did it and when.  It's not clear to me how to get the "who did it, and when" part of it from the logs.

The trouble with the "who" part is that this might be an anonymous link, or one not tied in to any Azure AD user object, thus there might not be a way for O365 to report who accessed the file. TBH, I haven't actually bothered to check what's audited in such scenario, I'm just thinking aloud here. But since it's fairly easy to test, I'll give it a go and see what I can dig out.

@Vasil Michev, thanks for any additional information that you can provide after testing.  I appreciate your effort!  As an additional piece of information, the use-case for needing this type of information could be something such as litigation around a certain topic related to documents that were shared within the company.  It sometimes becomes important to know not only what was shared and with whom, but whether or not they actually accessed that shared content.

Hi @Vasil Michev, did you get a chance to run any tests on this in your environment where you have this turned on?  Just curious to know if you found anything out.... 

 

Thanks, John

I did. The first good news is that the notifications I mentioned above seem to be already available:

 

SPOaccessnotification.png

And the corresponding records in the Audit logs contain all the information you need, including the user's email address and the file accessed.

OK, thanks @Vasil Michev for your effort on this!  I will pass this feedback to my IT and business colleagues who were inquiring about it.

 

John