Once audit logging has been enabled, events should begin appearing for activities. With regards to SharePoint and OneDrive sharing activity, items will have the following properties that are available for examination:
- TargetUserOrGroupType: This identifies the object type of the target being shared (valid options are Member, Guest, SharePointGroup, SecurityGroup, and Partner).
- TargetUserOrGroupName: This displays the identity of the object a resource was shared with.
- AuditData: This stores information about sharing events.
- Sharing Events: The following event activities will go into the audit data:
- SharingInvitationCreated: A user tried to share a resource.
- SharingInvitationAccepted: The user has accepted a sharing invitation.
- AnonymousLinkCreated: A user has created an anonymous link (also called an "Anyone" link).
- AnonymousLinkUsed: A previously created anonymous link has been used to access a resource.
- SecureLinkCreated: A user has created a "specific people link." The recipient is identified in the AddedToSecureLink event.
- AddedToSecureLink: A recipient, specified in TargetUserOrGroupName, was added to a "specific people link."
These activities can be discovered via the Security & Compliance Center Audit Log Search or PowerShell. An example of this can be seen in the following audit log entry:
You can export the records and manipulate them via Excel, Power BI, or other data analytics tools.