Monitor your SharePoint Security with Audit Reports

SharePoint with its rich collaboration features enables us to very easily manage the content, share and collaborate on them.

Many organizations have been using SharePoint as the major content management and collaboration tool for a long time.  As the data and users grow, definitively one must take care of security and compliance actions to ensure data consistency, integrity, and security. SharePoint security report turns out to be our go-to feature in such cases.

As a part of the security and compliance feature, SharePoint provides Audit log reports that allow you to know who is accessing which SharePoint sites, lists, libraries, list items, and files in Site collections and what are they doing with them. This report clearly logs all the user activities along with the timestamps when the action is performed, which will help you to easily sort, filter and analyze the changes and effectively audit your entire SharePoint content.

For example, if some users shared the private content with external users outside of your organization or deleted some important files or granted some high privileges to the least privileged users, every type of these actions can be tracked using audit reports. Without audit reports, it is very difficult to find what and who made the changes to the content. SharePoint Audit log reports help us to find out these types of activities and fix any unwanted changes easily.

How to enable SharePoint Audit logs?

Before generating SharePoint audit log reports, we need to configure audit settings for a site collection.

SharePoint Servers

• Go to the Central Administration
• In the Application Management section: click “manage service applications”
• Select the ‘secure store service’ application
• On the ribbon, click ‘properties’
• In the ‘enable audit’ section: click to select the audit log enabled box
• To change the number of days that entries will be purged from the audit log file, specify the number in days in the ‘Days until Purge’ field – the default value is 30 days.
• Click OK.

SharePoint Online

• From the admin center, select Security & Compliance
• In the Compliance Center, expand Search
• Click the audit log search
• In the upper left corner of the page, click the Start recording user and admin activities link

Events available for Audit log reports

• Opened and downloaded documents, viewed items in lists, or viewed item properties (This event is not available for SharePoint Online sites)
• Edited items
• Checked out and checked in items
• Items that have been moved and copied to other location in the site collection
• Deleted and restored items
• Changes to content types and columns
• Search queries
• Changes to user accounts and permissions
• Changed audit settings and deleted audit log events
• Workflow events
• Custom events

Generate Audit Log Report

To view Audit log reports you need to be a site collection administrator.

• Go to site settings
• Under Site Collection Administration section, click Audit log reports.
• Choose proper report type
• Choose the location where to save the report.
• For the Customized report
  • Choose the Date Range to which the activities report should be restricted to (optional)
  • Choose to which user this report should be restricted to (Optional)
  • Choose the events you want this report should be restricted to. If not selected, the report will include all the events.
• Click OK

Audit log reports usages

By using the above Audit Log report and leveraging the pivot tables in excel, we can generate and track any activity details from the above-mentioned activities.

Below are some of the useful analysis reports that can be derived using audit reports.

Tracking user activities with SharePoint security report

1. User activity

By using an audit report, we can track who is performing what action on the SharePoint objects and can also generate the total number of activities, they performed on the site.

For example, by using the User Id and Events columns in the audit report, we can get the report of who performed which actions on SharePoint. Based on this we can analyze who is the most active user and who is frequently accessing or managing the site collections content.

By using an audit report, we can track who is accessing more and who is accessing less and his last activity time and can also generate the report of the user and his date-wise accessed count.

Last usage of Site Collection/Site/List/Library/Document/Folder/Item

By using the audit report, get the count of the event that occurred in a month or a day. Based on this we can track the last used date of site collection/site/list/library/document/folder/item.

By grouping the Document location and sort by Occurred date column, we can get the details for the file when it was last modified or accessed.

Who gave access to whom?

By using the audit log reports, we can know who gave access to whom on list/library/document/ site.

 For example, based on Event type as “Security Group Create”, “Security Role Definition Create” we can get the following.

Who removed access to whom?

By using the audit log reports, we can know who was given access to whom on list/library/document/ site.

 For example, based on Event type as “Security Group Delete”, “Security Role Definition Delete” we can get the information about who removed access from the list/library/site/document/ file/ item for whom.

Most searched query

By using the audit log reports, we can get the frequent search terms, and the sites in which the search was performed.

For example, Based on Event Type ‘Search’ we can get the most searched query on the site collection/sites/lists/libraries.

Most viewed document/item/folder

With the help of Audit log reports, we can know historical usage information of the document /item/folder. We can track more specific information by filtering the events.

For example, by filtering the document location and by counting occurred date we can get the document accessed count. With help of Event type, we can get most viewed/updated documents.

Most viewed documents by user

With help of Audit log reports, we can know historical usage information of the document /item /folder per-user level. For specific documents, we can see individual user counts. So, we can track who is frequently accessing the same information.

For Example, with the help of filters on User Id and document location columns,  and by counting occurred date, we can get the document accessed count by user wise and With the help of Event type, we can get the most viewed/updated documents.

We can sort, filter, and generate many kinds of activity or usage SharePoint security report. But one thing to note here is, if audit data is very large, SharePoint would provide them in a different excel file which would result in much more complexity to merge them and generate required analytics reports based on them and it’s very difficult to derive some complex analysis using those excel files.

So here any third-party tool that provides effective Audit reports management and other security and compliance features would save you from unexpected security threats and helps you easily track and analyze your SharePoint security.

One such tool is Saketa SharePoint Security Manager, which will help you to easily analyze, track and manage your entire SharePoint Security.  You can view your SharePoint items that are Shared externally or internally with users, manage access requests, clean orphan users and unused limited access, manage external users, manage sharing links, generate permission and audit reports and many more rich SharePoint security management features. Saketa SharePoint Migrator, being a one-stop for all your SharePoint needs does provide you with its full-fledged SharePoint security report as well as audit report features.