Query Details
Office Activity Files Sharedto Guestsfrom Onedrive
Query
//Find when files are shared from OneDrive to third party guests
//Data connector required for this query - Office 365
OfficeActivity
| where TimeGenerated > ago(7d)
| where OfficeWorkload == "OneDrive"
| where Operation in ("SecureLinkCreated", "AddedToSecureLink")
| where TargetUserOrGroupType == "Guest" or TargetUserOrGroupName contains "#EXT#"
| project
TimeGenerated,
['User Who Shared']=UserId,
['Guest Granted Access']=TargetUserOrGroupName,
['File Shared']=OfficeObjectId
| sort by TimeGenerated desc Explanation
This query is looking for instances when files are shared from OneDrive to third-party guests. It uses the Office 365 data connector and filters the OfficeActivity table to only include events from the past 7 days and for the OneDrive workload. It then filters for specific operations related to sharing files securely. The query also includes conditions to only include guests or external users in the results. The final projection includes the time the event occurred, the user who shared the file, the guest who was granted access, and the file that was shared. The results are sorted in descending order by the time the event occurred.
Details
Matt Zorich
Released: June 17, 2022
Tables
OfficeActivity
Keywords
Keywords:OfficeActivity,TimeGenerated,OfficeWorkload,Operation,TargetUserOrGroupType,TargetUserOrGroupName,UserId,OfficeObjectId,sort
Operators
whereTimeGenerated>ago(7d)OfficeWorkload=="OneDrive"Operationin("SecureLinkCreated""AddedToSecureLink")TargetUserOrGroupType=="Guest"orTargetUserOrGroupNamecontains"#EXT#"project['User Who Shared']=UserId['Guest Granted Access']=TargetUserOrGroupName['File Shared']=OfficeObjectIdsortbyTimeGenerateddesc