Query Details
Share Point Downloads
Query
OfficeActivity
| where RecordType == "SharePointFileOperation"
| where Operation == "FileDownloaded" or Operation == "FileSyncDownloadedFull"
| join kind= inner (
Heartbeat
| summarize arg_max(TimeGenerated, *) by ComputerIP
| extend ClientIP = tostring(ComputerIP), Computer
) on ClientIP
| project TimeGenerated, ClientIP, Computer, Operation, OfficeWorkload, UserId, SourceFileName, OfficeObjectId
| sort by TimeGenerated descExplanation
This query retrieves information about file downloads in SharePoint and combines it with heartbeat data to get additional details. It then projects specific columns and sorts the results by the time the activity occurred.
Details
Rod Trent
Released: May 13, 2020
Tables
OfficeActivityHeartbeat
Keywords
OfficeActivity,SharePointFileOperation,FileDownloaded,FileSyncDownloadedFull,Heartbeat,TimeGenerated,ComputerIP,ClientIP,Computer,OfficeWorkload,UserId,SourceFileName,OfficeObjectId
Operators
|==whereorjoinkind=innersummarizearg_maxbyextendtostringonprojectsort bydesc