Log who downloaded file on shared folder on domain

Tip Click a column header under Results to sort the results. Important You can download a maximum of 50, entries to a CSV file from a single audit log search.

File and page activities. Folder activities. Power BI activities. Yammer activities. Quarantine activities. Briefing email activities. MyAnalytics activities. Report activities. Exchange admin activities. Note Users can be either members or guests based on the UserType property of the user object.

Note The operation names listed in the Operation column in the following table contain a period. Note It takes up to 30 minutes for events that result from the activities listed under eDiscovery activities and Advanced eDiscovery activities in the Activities drop-down list to be displayed in the search results. Note Some Yammer audit activities are only available in Advanced Audit. Note Some Forms audit activities are only available in Advanced Audit.

Important Some Exchange Online cmdlets that aren't logged in the Exchange admin audit log or in the audit log. Submit and view feedback for This product This page. View all page feedback. In this article. This is related to the "Accessed file" FileAccessed activity.

A FileAccessedExtended event is logged when the same person continually accesses a file for an extended period up to 3 hours. The purpose of logging FileAccessedExtended events is to reduce the number of FileAccessed events that are logged when a file is continually accessed. This helps reduce the noise of multiple FileAccessed records for what is essentially the same user activity, and lets you focus on the initial and more important FileAccessed event.

A retention label was applied to or removed from a document. This event is triggered when a retention label is manually or automatically applied to a message. The record status of a retention label that classifies a document as a record was locked. This means the document can't be modified or deleted. Only users assigned at least the contributor permission for a site can change the record status of a document.

The record status of a retention label that classifies a document as a record was unlocked. This means that the document can be modified or deleted. User checks in a document that they checked out from a document library.

User checks out a document located in a document library. Users can check out and make changes to documents that have been shared with them. User copies a document from a site. The copied file can be saved to another folder on the site. A document or email that was marked as a record was deleted. An item is considered a record when a retention label that marks items as a record is applied to content.

User uploads a document to a site that's protected with a sensitivity label and the document has a higher priority sensitivity label than the sensitivity label applied to the site.

For example, a document labeled Confidential is uploaded to a site labeled General. This event isn't triggered if the document has a lower priority sensitivity label than the sensitivity label applied to the site. For example, a document labeled General is uploaded to a site labeled Confidential.

For more information about sensitivity label priority, see Label priority order matters. User discards or undoes a checked out file. That means any changes they made to the file when it was checked out are discarded, and not saved to the version of the document in the document library.

User or system account modifies the content or the properties of a document on a site. This is related to the "Modified file" FileModified activity. A FileModifiedExtended event is logged when the same person continually modifies a file for an extended period up to 3 hours. The purpose of logging FileModifiedExtended events is to reduce the number of FileModified events that are logged when a file is continually modified.

This helps reduce the noise of multiple FileModified records for what is essentially the same user activity, and lets you focus on the initial and more important FileModified event. User moves a document from its current location on a site to a new location.

These events typically occur in high volumes based on a single activity, such as viewing an image gallery. Some common scenarios where a service account performs a search query include applying an eDiscovery holds and retention policy to sites and OneDrive accounts, and auto-applying retention or sensitivity labels to site content.

User deletes all minor versions from the version history of a file. The deleted versions are moved to the site's recycle bin. User deletes all versions from the version history of a file. User deletes a version from the version history of a file.

The deleted version is moved to the site's recycle bin. User views a page on a site. This doesn't include using a Web browser to view files located in a document library. This is related to the "Viewed page" PageViewed activity. A PageViewedExtended event is logged when the same person continually views a web page for an extended period up to 3 hours. The purpose of logging PageViewedExtended events is to reduce the number of PageViewed events that are logged when a page is continually viewed.

This helps reduce the noise of multiple PageViewed records for what is essentially the same user activity, and lets you focus on the initial and more important PageViewed event. A user's client such as website or mobile app has signaled that the indicated page has been viewed by the user. This activity is often logged following a PagePrefetched event for a page.

NOTE : Because ClientViewSignaled events are signaled by the client, rather than the server, it's possible the event may not be logged by the server and therefore may not appear in the audit log. It's also possible that information in the audit record may not be trustworthy. However, because the user's identity is validated by the token used to create the signal, the user's identity listed in the corresponding audit record is accurate.

A user's client such as website or mobile app has requested the indicated page to help improve performance if the user browses to it. This event is logged to indicate that the page content has been served to the user's client. This event isn't a definitive indication that the user navigated to the page. When the page content is rendered by the client as per the user's request a ClientViewSignaled event should be generated. Not all clients support indicating a pre-fetch, and therefore some pre-fetched activities might instead be logged as PageViewed events.

User modifies a folder on a site. This includes changing the folder metadata, such as changing tags and properties. A user created a SharePoint list column. A list column is a column that's attached to one or more SharePoint lists. A user created a list content type. A list content type is a content type that's attached to one or more SharePoint lists. A user created a SharePoint site column. A site column is a column that isn't attached to a list.

A site column is also a metadata structure that can be used by any list in a given web. A user created a site content type. A site content type is a content type that's attached to the parent site.

A user updated a SharePoint list column by modifying one or more properties. A user updated a list content type by modifying one or more properties. A user updated a SharePoint list item by modifying one or more properties.

A user updated a SharePoint site column by modifying one or more properties. A user updated a site content type by modifying one or more properties.

An access request to a site, folder, or document was accepted and the requesting user has been granted access. User member or guest accepted a sharing invitation and was granted access to a resource. This event includes information about the user who was invited and the email address that was used to accept the invitation they could be different. This activity is often accompanied by a second event that describes how the user was granted access to the resource, for example, adding the user to a group that has access to the resource.

A sharing invitation sent by a user in your organization is blocked because of an external sharing policy that either allows or denies external sharing based on the domain of the target user.

In this case, the sharing invitation was blocked because: The target user's domain isn't included in the list of allowed domains.

Or The target user's domain is included in the list of blocked domains. For more information about allowing or blocking external sharing based on domains, see Restricted domains sharing in SharePoint Online and OneDrive for Business. User requests access to a site, folder, or document they don't have permissions to access.

User created a company-wide link to a resource. They can't be used by guests. User created an anonymous link to a resource. Anyone with this link can access the resource without having to be authenticated. User shared a resource in SharePoint Online or OneDrive for Business with a user who isn't in your organization's directory. User removed a company-wide link to a resource. The link can no longer be used to access the resource. User removed an anonymous link to a resource.

User member or guest shared a file, folder, or site in SharePoint or OneDrive for Business with a user in your organization's directory. The value in the Detail column for this activity identifies the name of the user the resource was shared with and whether this user is a member or a guest. This activity is often accompanied by a second event that describes how the user was granted access to the resource. For example, adding the user to a group that has access to the resource.

User updated an anonymous link to a resource. The updated field is included in the EventData property when you export the search results. An anonymous user accessed a resource by using an anonymous link. The user's identity might be unknown, but you can get other details such as the user's IP address. User member or guest unshared a file, folder, or site that was previously shared with another user.

A user was added to the list of entities who can use a secure sharing link. A user was removed from the list of entities who can use a secure sharing link. User successfully establishes a sync relationship with a site. The sync relationship is successful because the user's computer is a member of a domain that's been added to the list of domains called the safe recipients list that can access document libraries in your organization.

For more information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list. User tries to establish a sync relationship with a site from a computer that isn't a member of your organization's domain or is a member of a domain that hasn't been added to the list of domains called the safe recipients list that can access document libraries in your organization.

The sync relationship is not allowed, and the user's computer is blocked from syncing, downloading, or uploading files on a document library. For information about this feature, see Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list. This event has been deprecated along with the old OneDrive for Business sync app Groove.

Site collection administrator or owner adds a person as a site collection administrator for a site. Site collection administrators have full control permissions for the site collection and all subsites. This activity is also logged when an admin gives themselves access to a user's OneDrive account by editing the user profile in the SharePoint admin center or by using the Microsoft admin center.

User added a member or guest to a SharePoint group. This might have been an intentional action or the result of another activity, such as a sharing event. An item was changed so that it no longer inherits permission levels from its parent. An item was changed so that it no longer inherits sharing permissions from its parent. Site administrator or owner creates a group for a site, or performs a task that results in a group being created.

For example, the first time a user creates a link to share a file, a system group is added to the user's OneDrive for Business site. This event can also be a result of a user creating a link with edit permissions to a shared file. The Members Can Share setting was modified on a site.

Site administrator or owner or system account changes the permission level that is assigned to a group on a site. This activity is also logged if all permissions are removed from a group.

To find related events, you can search for other permission-related activities such as Added site collection admin , Added user or group to SharePoint group , Allowed user to create groups , Created group , and Deleted group. Site collection administrator or owner removes a person as a site collection administrator for a site.

This activity is also logged when an admin removes themselves from the list of site collection administrators for a user's OneDrive account by editing the user profile in the SharePoint admin center.

To return this activity in the audit log search results, you have to search for all activities. User removed a member or guest from a SharePoint group. This might have been an intentional action or the result of another activity, such as an unsharing event. User requests to be added as a site collection administrator for a site collection. A change was made so that an item inherits sharing permissions from its parent. Site administrator or owner changes the settings of a group for a site.

This can include changing the group's name, who can view or edit the group membership, and how membership requests are handled. A SharePoint or global administrator added an allowed data location in a multi-geo environment. A SharePoint or global administrator added a user agent to the list of exempt user agents in the SharePoint admin center.

A SharePoint or global administrator added a user as a geo admin of a location. Site administrator or owner adds a permission level to a site that allows a user assigned that permission to create a group for that site.

The Multi-Geo capability lets an organization span multiple Microsoft datacenter geographies, which are called geos. Any change to the settings in the sharing policy in your organization will be logged. The policy that was changed is identified in the ModifiedProperties field in the detailed properties of the event record. A SharePoint or global administrator changed the unmanaged devices policy for your organization.

This policy controls access to SharePoint, OneDrive, and Microsoft from devices that aren't joined to your organization. For more information, see Control access from unmanaged devices. A SharePoint or global administrator customized the list of exempt user agents in the SharePoint admin center. You can specify which user agents to exempt from receiving an entire web page to index. This means when a user agent you've specified as exempt encounters an InfoPath form, the form will be returned as an XML file, instead of an entire web page.

This makes indexing InfoPath forms faster. A SharePoint or global administrator changed the location-based access policy also called a trusted network boundary in the SharePoint admin center or by using SharePoint Online PowerShell.

Logs a SharingSet event. This event has a friendly name of "Shared file, folder, or site" under Sharing and access request activities in the activities picker of the audit log search tool. See the screenshot in Step 1. SharingInvitationCreated this event is logged only when the shared resource is a site. When the target user accepts the sharing invitation that's sent to them by clicking the link in the invitation , SharePoint logs a SharingInvitationAccepted event and assigns the target user permissions to access the resource.

If the target user is sent an anonymous link, the AnonymousLinkUsed event is logged after the target user uses the link to access the resource. For secure links, a FileAccessed event is logged when an external user uses the link to access the resource. Additional information about the target user is also logged, such as the identity of the user the invitation is to and the user who accepts the invitation.

In some case, these users or email addresses can be different. A common requirement for administrators is creating a list of all resources that have been shared with users outside of the organization.

By using sharing auditing in Office , administrators can generate this list. Here's how. The first step is to search the audit log for sharing events. For more information including the required permissions about searching the audit log, see Search the audit log. Under Activities , click Sharing and access request activities to search for sharing-related events.

After you select the export option, a message at the bottom of the window prompts you to open or save the CSV file. Wireless Hacking. Lecture 11 - Sex and Gender. What to Upload to SlideShare. Related Books Free with a 30 day trial from Scribd. The Art of War Sun Tsu. Uncommon Carriers John McPhee. Related Audiobooks Free with a 30 day trial from Scribd. Views Total views. Actions Shares. No notes for slide. How to share folders within a domain network 1. HOW to share a folder in the office based on the access right 1.

Now in the main folder that you have just created, create new folders. You will have the following windows open. You will have the following windows: You can now personalize the access right for the user.

For Full access, just to tick on the full access case and others will be selected automatically. You would think that in light of this being a concern Microsoft would have listened by now Thanks all for the quick responses! I wasn't finding anything clear myself.

A moving forward solution will do it in this case, as the client only presented the request today. Yeah Auditing is not enabled by default. As others have stated either is natively with Event Logs or using another tool to get them centrally. Brand Representative for Lepide. You might get lucky and if its a network share the user might still be shown depending on the timeline of this event. There is a trick that I stumbled on a while ago that you can try It only works if you have enabled Shadow Copy Precious Versions and are running a schedule that gets a chance to run after the change has been made, and it only works if a user made a change to, and saved the file.

Now, if you click the details tab on that version of the file, look for the entry under the Origin section called "Last Saved By". There you will see the user that accessed and saved a change to the file. Keep doing this for all of the versions that exist, and you can piece together who made changes to it. We use Netwrix Auditor to easily tell at a glance who accessed what file and when in a easy to read report. If you're looking for a more permanent solution may I suggest not only turning on file auditing, but forward those logs to a log server to analyse, also just a good all around thing to do.

Especially if any log tampering takes place. Also big plus to your security posture. LIke many others have pointed out, once auditing is enabled in group policy, you can activate the desired audit settings on the folder and Windows will log all relevant access to the event log. One problem with the audit events mostly event ID is that they can be somewhat cumbersome to analyze without a 3rd party tool, and they also provide limited information.

Third party tools may provide more information by correlating previous events or gathering more Infos from data contained in the events. EventSentry is a product that does just that with its File Access Tracking feature, but there are others of course. The advantage of EventSentry is that it will consolidate and store your events in a central database as well, for security and redundancy reasons.