Petri Newsletter Sign-up
Tech Tuesday

Subscribe to Tech Tuesday, the latest insights from for IT Pros.

    See All Petri Newsletters

    Interpreting SharePoint Online Audit Records

    Posted on by Tony Redmond in Office, Office 365, and SharePoint Online

    SharePoint Office 365 Audit Records

    Microsoft Says SharePoint Online is Secure

    A recent Microsoft post entitled “SharePoint and OneDrive Security and Compliance: Security you can trust, control you can count on” sets out some reasons why Microsoft thinks SharePoint Online and OneDrive for Business are capable of handling today’s security challenges. Given that I store all my work in the cloud, I hope that the assertion is true.

    In any case, the post included the promise of a free eBook (in reality, a 22-page marketing white paper). The eBook “Securing your content in the new world of work with SharePoint and OneDrive eBook”) makes a big thing of auditing, saying:

    With advanced auditing in Office 365, you can track changes and user activity in SharePoint Online and OneDrive for Business. This allows you to audit changes made to files and site collections, as well as the users who made changes. Every user action is recorded for a full audit trail.”

    And recommends that you use the “RESTful APIs” to get an “unprecedented level of visibility into user and admin transactions within Office 365.” Quite.

    SharePoint Audits Activity

    There’s both good and bad in these statements, or rather, some loose language. For instance, I have no idea what “advanced auditing in Office 365” means because there’s only the Office 365 audit log. Perhaps I missed the advanced class.

    It is true that the Office 365 audit log gathers a great deal of information about admin and user activity. Audit records from SharePoint and OneDrive for Business show up in the audit log about 15 minutes after events happen. The time difference is relatively short compared to some other Office 365 workloads and is accounted for by the need to gather events from multiple servers and normalize the events before ingestion into the audit log.

    Chatty Applications

    Compared to other Office 365 applications, SharePoint and OneDrive are “chatty” and generate many audit events. This might be due to the background in document management and the need to understand exactly what happens to documents during their lifecycle, but it means that a typical edit session for a document generates more audit records than you can imagine, especially when AutoSave is turned on for Office documents.

    The upshot is that searching through SharePoint audit records using the Audit log search in the Security and Compliance Center can be tiresome because so much noise exists. For example, Figure 1 shows many “Accessed File” audit records logged at the same time. “Accessed File” is the event you’d look for if you wanted to know who updated a document, so this is an important event for investigations. In this case, ten events proclaim that I accessed the _siteIcon_.jpg file within one second, a truly impressive performance on my part. Scrolling down, a further 17 records for the same file exist.

    Office 365 Audit Log SPO records
    Figure 1: Many instances of _siteIcon_.jpg appear in the Office 365 audit log (image credit: Tony Redmond)

    The Elusive _siteIcon_.jpg

    _siteIcon_.jpg is a system file that comes from the “Site Assets” folder of SharePoint sites (the full URL is available in the audit record and looks like this: It is the graphic file for the avatar of the site. If you don’t upload a picture for the site, SharePoint builds a file based on the display name. Figure 2 shows a typical example.

    SPO Site Avatar
    Figure 2: Typical _siteIcon_.jpg file (image credit: Tony Redmond)

    _siteIcon_.jpg is only one of the system files for which SharePoint insists on logging audit records. Among the other files you should discard from audit results are AllItems.aspx, ByAuthor.aspx, EditForm.aspx, and UpLoad..aspx. There’s a lot of rubbish to remove to find the real data.

    Filtering is Needed

    Given that searches might return so many audit events, is this where you’d resort to the RESTful APIs to gain the promised unprecedented level of visibility?

    Well, no. Writing a program to use the APIs to search the Office 365 audit log will suffer from the same problem as the Audit log search. Unless you specify exactly what you’re looking for, a search will return many events for you to review. Precision and accuracy in search operations is paramount when it comes to looking for information about SharePoint, no matter what tool you use.

    And besides, you don’t need to resort to the RESTful APIs to search programmatically. The Search-UnifiedAuditLog does a good job of searching for audit records if you are precise in what you ask it to retrieve.

    For instance, this command restricts the search for a specific event in a two-hour window:

    Some work is necessary to interpret the data returned from the audit log to extract details of the document and filter out system rubbish, but that can be done in a few lines of code. I will return to this point and explain how I filter audit records for SharePoint in a future article.

    Tools to Help

    Given that no one particularly likes to trawl through vast quantities of audit records looking for the proverbial needle in the audit haystack, I suspect that Microsoft had tools like Office 365 Activity Alerts or Advanced System Management when they mentioned “advanced auditing.” These are good options, if you’re willing to pay for premium licenses. Cheaper ISV products like Radar for Security and Audit are available to apply intelligent filters to SharePoint (and other workload) audit data. Everything works off the same data set, so choose your tool and get to know how to exploit Office 365 audit data.

    Follow Tony on Twitter @12Knocksinna.

    Want to know more about how to manage Office 365? Find what you need to know in “Office 365 for IT Pros”, the most comprehensive eBook covering all aspects of Office 365. Available in PDF and EPUB formats (suitable for iBooks) or for Amazon Kindle.


    Don't have a login but want to join the conversation? Sign up for a Petri Account


    Register for this Petri Webinar!

    Software-Defined Backup Storage: Agnostic, Easy and Cloud-Ready

    Tuesday, August 27, 2019 @ 1:00 pm EDT

    A Scale-Out Backup storage infrastructure is a must-have technology for your backups. In this webinar, join expert Rick Vanover for a look on what real-world problems are solved by the Scale-Out Backup Repository.

    Register Now

    Sponsored By