Vendors Microsoft Corporation Office 365 SharePoint Anonymous Link Created

SharePoint Anonymous Link Created

Public File Sharing - Data Exposure Risk

Records SharePoint Online anonymous link creation events where users create publicly accessible sharing links for files or folders, enabling external access without authentication

sharepoint external-sharing anonymous-access data-exposure collaboration

JSON Format 35 Fields Medium Frequency Generator

Preview Sample View Schema

Overview

Captures SharePoint Online events where users create anonymous sharing links ('Anyone with the link') for files or folders. These links allow unauthenticated access to content, creating potential data exposure risks, especially for sensitive documents in Finance, HR, or Legal sites.

When Generated:

User shares a file or folder via 'Anyone with the link' option
Anonymous sharing link created for collaboration with external partners
Accidental oversharing of confidential documents
Attacker with compromised account creates links for data exfiltration
Legitimate business sharing for public content

Security Relevance:

Medium

Compliance:

GDPR (Data Protection & Transfer) HIPAA (PHI Sharing Controls) PCI-DSS (Cardholder Data Protection) SOX (Financial Data Controls) NIST 800-53 (AC-3, AC-6, SC-7)

Frequency Notes:

Medium-high frequency in knowledge worker environments (15 events/hour baseline). Business hours show 3x activity as users actively collaborate. Suspicious patterns: anonymous links to Finance/HR/Legal sites, very long expiration dates (30+ days), Edit permissions (vs View-only), and links created outside business hours for sensitive content.

Resources

Documentation

Office 365 Management Activity API Schema official
SharePoint Online External Sharing Overview official
Manage Sharing Settings official
MITRE ATT&CK - Data from Cloud Storage (T1530) reference

Tools

Microsoft 365 Defender
Native detection for suspicious SharePoint sharing activities
SharePoint Admin Center
Configure external sharing policies and audit sharing links
Microsoft Cloud App Security
Monitor and control SharePoint sharing with DLP policies

Generation Configuration

Base Frequency: 15 events/hour

Time Patterns:

business_hours night_hours

Business Hours Multiplier: 3.0x

Night Hours Multiplier: 1.5x

Weekend Multiplier: 0.8x

Field Definitions

Complete field reference for this event type with data types, descriptions, and example values.

Field Name	Type	Required	Format	Description	Example	Possible Values
CreationTime Source: now() \| iso8601	DateTime	Required	`ISO 8601`	Timestamp when the anonymous link was created	`2024-12-15T13:29:41Z`	—
Id Source: random_guid()	String	Required	`GUID`	Unique identifier for this audit record	`c6d7e8f9-a0b1-2c3d-4e5f-6a7b8c9d0e1f`	—
Operation Source: Static value 'AnonymousLinkCreated'	String	Required	—	SharePoint operation performed	`AnonymousLinkCreated`	—
OrganizationId Source: Derived from organization domain	String	Required	`GUID`	Microsoft 365 tenant identifier	`b4c5d6e7-8f9a-0b1c-2d3e-4f5a6b7c8d9e`	—
RecordType Source: Static value 14	Integer	Required	—	Office 365 audit log record type (14 = SharePointSharingOperation)	`14`	`14` — SharePointSharingOperation - SharePoint and OneDrive sharing activities
ResultStatus Source: random_choice(['Success', 'Success', 'Success', 'Failed'])	String	Required	—	Outcome of the link creation operation	`Success`	`Success` — Anonymous link created successfully `Failed` — Link creation failed (permissions, policy restriction, or validation error)
UserKey Source: SharePoint membership format with user email	String	Required	`i:0#.f\|membership\|{email}`	Unique identifier for the user in SharePoint membership format	`i:0#.f\|membership\|user@contoso.com`	—
UserType Source: Static value 0	Integer	Required	—	Type of user creating the link	`0`	`0` — Regular user
Workload Source: Static value 'SharePoint'	String	Required	—	Office 365 service where the operation occurred	`SharePoint`	—
UserId Source: registry.get_random_user().email	String	Required	`Email/UPN`	User principal name of the account that created the link	`user@contoso.com`	—
ClientIP Source: random_choice([random_public_ip(), random_private_ip()])	String	Required	`IPv4`	IP address from which the link was created	`198.51.100.45`	—
ObjectId Source: SharePoint URL with site, library, and filename	String	Required	`URL`	Full SharePoint URL to the file or folder being shared	`https://contoso.sharepoint.com/sites/Finance/Shared Documents/Q4_Financial_Report.xlsx`	—
EventSource Source: Static value 'SharePoint'	String	Required	—	Source of the sharing event	`SharePoint`	—
ItemType Source: random_choice(['File', 'File', 'Folder'])	String	Required	—	Type of item being shared	`File`	`File` — Individual file being shared `Folder` — Folder being shared (higher risk - multiple files exposed)
ListId Source: random_guid()	String	Required	`GUID`	GUID of the SharePoint list/library containing the item	`f1e2d3c4-b5a6-7c8d-9e0f-1a2b3c4d5e6f`	—
ListItemUniqueId Source: random_guid()	String	Required	`GUID`	Unique identifier for the list item	`a1b2c3d4-e5f6-7a8b-9c0d-1e2f3a4b5c6d`	—
Site Source: random_guid()	String	Required	`GUID`	GUID of the SharePoint site	`b2c3d4e5-f6a7-8b9c-0d1e-2f3a4b5c6d7e`	—
UserAgent Source: Random modern browser user agent	String	Required	—	Browser user agent string	`Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36`	—
WebId Source: random_guid()	String	Required	`GUID`	GUID of the SharePoint web/subsite	`d3e4f5a6-b7c8-9d0e-1f2a-3b4c5d6e7f8a`	—
CorrelationId Source: random_guid()	String	Required	`GUID`	Correlation identifier for related operations	`e4f5a6b7-c8d9-0e1f-2a3b-4c5d6e7f8a9b`	—
EventData Source: XML with link type and expiration date	String	Required	`XML`	XML string containing sharing settings (AnonymousLinkType, Expiration)	`<SharingSettings><AnonymousLinkType>View</AnonymousLinkType><Expiration>2025-01-15T13:29:41Z</Expiration></SharingSettings>`	—
HighPriority Source: random_choice(['true', 'false', 'false']) - weighted toward normal priority	Boolean	Required	—	Indicates if this is a high-priority security event	`true`	—
Platform Source: Static value 'SharePointOnline'	String	Required	—	SharePoint platform identifier	`SharePointOnline`	—
SiteUrl Source: SharePoint site URL	String	Required	`URL`	Base URL of the SharePoint site	`https://contoso.sharepoint.com/sites/Finance`	—
SourceFileExtension Source: random_choice(['xlsx', 'docx', 'pdf', 'pptx', 'zip'])	String	Required	—	File extension of the shared item	`xlsx`	—
SourceFileName Source: Contextual filename with extension	String	Required	—	Name of the file being shared	`Q4_Financial_Report.xlsx`	—
SourceRelativeUrl Source: Relative path within SharePoint	String	Required	—	Relative URL path to the file	`sites/Finance/Shared Documents`	—
TargetUserOrGroupName Source: Static value 'Anyone with the link'	String	Required	—	Who can access via the anonymous link	`Anyone with the link`	—
TargetUserOrGroupType Source: Static value 'Anonymous'	String	Required	—	Type of sharing target	`Anonymous`	—
UniqueSharingId Source: random_guid()	String	Required	`GUID`	Unique identifier for this sharing link	`f7a8b9c0-d1e2-3f4a-5b6c-7d8e9f0a1b2c`	—
ExternalAccess Source: random_choice(['true', 'false', 'false'])	Boolean	Required	—	Indicates if the link was created from outside the corporate network	`true`	—
ModifiedProperties Source: Array with AnonymousLinkType and LinkExpiration	Array	Required	—	Properties showing link settings (type and expiration)	—	—
ModifiedProperties[].Name	String	Required	—	Property name (AnonymousLinkType, LinkExpiration)	`AnonymousLinkType`	—
ModifiedProperties[].NewValue Source: Link type (View, Edit, Review) or ISO date	String	Required	—	Link permission type or expiration date	`View`	`View` — Read-only access (lowest risk) `Edit` — Read and write access (higher risk) `Review` — View and comment access
ModifiedProperties[].OldValue Source: Empty string	String	Required	—	Previous value (empty for new links)	—	—

Details

Fields

Medium

Frequency

Feedback

No ratings yet