Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

Sharing links shows in audit logs as "GroupCreated"

Iron Contributor

I want to create a custom Alert Policy that notifies admins when a new 365 Group is created.  This seems like a simple task, but we are getting flooded with "Group Created" alerts every time a user shares a file from SharePoint.  It appears that behind the scenes, SharePoint is creating a system group of some sort to handle the access needed for the sharing link, and then the Audit Log detects this as "GroupAdded."  There must be a way to handle this.  What is the right way to create this alert policy without detecting every single shared link created?  

 

From the Audit Log, I can see that the end user is creating a "Limited Access System Group":

{
    "Name": "Name",
    "NewValue": "Limited Access System Group For Web *ID_REMOVED*"

 

This lines up exactly with an Alert generated by the alert policy that shows the user was creating a sharing link from SharePoint:

{
"NewValue": "SharingLinks.*ID_REMOVED*.OrganizationView.*ID_REMOVED*",
"Name": "Name"
}

 

0 Replies