Microsoft 365 SharePoint & OneDrive file-change monitoring

Who shared what with whom, from which endpoint, when — across every Microsoft 365 SharePoint site and OneDrive in every client tenant.

The SharePoint Online and OneDrive for Business attack pattern that costs MSPs clients in 2026 is not ransomware encryption (SharePoint versioning handles most of that). It is the slow leak: a compromised user shares a folder with an external Gmail address, an over-privileged user downloads three years of accounting records the day before quitting, a Conditional-Access-exempt service account reads two thousand files from the Finance site in twenty minutes. Microsoft 365's unified audit log captures every one of those events. Almost nobody reads it.

Lavawall®'s SharePoint and OneDrive change-monitoring module consumes the unified audit log on a continuous cycle per tenant, retains the data for the contract term (well past Microsoft's 90–180 day default), and surfaces the patterns that matter: mass downloads, anomalous external sharing, sensitive-folder access bursts, sharing-link generation by users who normally don't generate sharing links. Each event is correlated with the actor's other Microsoft 365 activity, the endpoint they signed in from (via the Lavawall® agent), and the rest of the breach-detection findings.

What it monitors

  • Every file activity in the unified audit log. File accessed, modified, uploaded, downloaded, deleted, moved, renamed, restored from recycle bin, permanently deleted, version restored, and over twenty more SharePoint and OneDrive event types — with actor UPN, client IP, file path, and site collection.
  • External sharing. Anonymous link creation, sharing with an external recipient, external collaborator added to a site. The change feed shows the file, the actor, the recipient, and the permission level (read / edit / owner).
  • Mass-download detection. A user downloading N files in M minutes from a site they don't normally access. Threshold configurable per site collection; the breach-detection module raises a high-severity finding when triggered.
  • Ransomware-encryption pattern. Mass-modify events with file-rename and content-replacement patterns characteristic of ransomware affecting SharePoint Online. SharePoint's versioning gives recovery; Lavawall®'s detection gives time-to-detect.
  • Site permission changes. Site collection administrator additions, site-level role assignments, hub-association changes, sensitivity-label changes — correlated with the configuration-backup change feed for the same tenant.
  • Sharing-policy changes. Tenant-level and site-level external-sharing setting changes are captured in the configuration-backup module; the file-change module shows the resulting external-share events.
  • OneDrive scope. Per-user OneDrive activity is treated the same as SharePoint site activity. Anomalous downloads from a OneDrive (typical departing-employee pattern) raise the same kind of finding.

How it works

Microsoft Graph integration. The module shares its Microsoft Graph application registration with the Lavawall® breach-detection and configuration-backup modules. One tenant onboarding covers all three. Read-only scopes throughout; no write access to SharePoint or OneDrive.

Ingestion cadence. The unified audit log is polled per tenant on a configurable cycle (typically 15–30 minutes). High-severity detections (mass download, anomalous external share) trigger immediate notification through the Lavawall® notifications framework; routine activity flows into the daily digest.

Endpoint correlation. A file-download event correlated with a Lavawall®-managed endpoint is materially more informative than the event alone. The change feed shows the endpoint hostname, the signed-in user, and the application that initiated the download. A finance partner downloading from a known endpoint at noon is unremarkable; the same UPN downloading from an endpoint not in the Lavawall® inventory at 2 AM is a finding.

Retention. Microsoft 365 retains audit data for 90 days on E3 plans and 180 days on E5 plans. Lavawall® ingests on the polling cycle and retains for the contract term, with export available in CSV, JSON, and the Lavawall®-native evidence-bundle format used by ThreeShield audit reports.

Audit and compliance use

SharePoint file activity is one of the most-asked categories in modern compliance assessments because it spans data exfiltration (the SOC 2 and ISO question) and personal-data handling (the privacy-law question). Lavawall® produces the audit-ready evidence for both. Reports are filterable by client, by site collection, by user, and by date range.

  • SOC 2 — CC6.1 (logical access) and CC7.2 (system event monitoring).
  • HIPAA — § 164.312(b) audit controls; PHI shared inappropriately is a reportable breach.
  • PIPEDA / Alberta PIPA / BC PIPA / Quebec Law 25 — personal information transferred outside Canada requires safeguards; external sharing is the operational evidence layer.
  • NIST SP 800-171 / CMMC 2.0 — AU.L2-3.3.1 (audit and accountability), MP.L2-3.8.1 (media protection).
  • ISO 27001:2022 — A.5.34 (privacy and protection of PII), A.8.16 (monitoring activities).

Frequently asked

Does this replace SharePoint's native audit log?
No, it makes the native audit log useful. Microsoft 365's unified audit log records every SharePoint and OneDrive file activity, but it retains 90 days by default (180 days on E5), it does not produce alerts, and it does not correlate with anything else. Lavawall® consumes the same audit log, retains it for the contract term, correlates each event with the actor's other Microsoft 365 activity and the endpoint they signed in from, and surfaces the patterns that matter — mass downloads, sharing-to-personal, anomalous external sharing.
What about OneDrive for Business?
Covered. The same Microsoft Graph integration that handles SharePoint Online file activity covers OneDrive for Business. OneDrive is treated as a per-user SharePoint site in the unified audit log; Lavawall® surfaces both under one change feed with a site / user filter.
Can you detect ransomware encrypting SharePoint files?
Yes. Mass-modify events with entropy increases and extension renames are a defined detection in the breach-detection module. SharePoint and OneDrive's versioning gives you the recovery path; Lavawall®'s detection gives you the time-to-detect.
How does this compare to AvePoint or Netwrix Auditor?
AvePoint covers SharePoint with deep records-management and e-discovery features priced for enterprise content-governance programmes. Netwrix Auditor covers SharePoint change activity with deep regulator-style archives. Lavawall® covers the change monitoring and identity correlation MSPs actually use, bundled with the rest of the MSP platform at MSP pricing. For most MSPs, Lavawall® is sufficient and the bundle saves money; for enterprises with records-management or e-discovery as board-level concerns, AvePoint may still be the better fit.
Is external-sharing visibility included?
Yes. Files shared with external email addresses, anonymous-link sharing, and external-collaborator additions on SharePoint sites are first-class events. The change feed shows the actor, the recipient, the file, and the permission level granted.