Real-time monitoring in SharePoint Online helps track user activities, security risks, and compliance violations. Using PnP PowerShell, we can:
Monitor file access & modifications
Detect unauthorized access attempts
Track external sharing activities
Automate alerts for suspicious activities
Step 1: Connect to SharePoint Online
First, establish a secure connection to SharePoint:
$adminUrl = "https://yourtenant-admin.sharepoint.com"
Connect-PnPOnline -Url $adminUrl -Interactive
Write-Host " Connected to SharePoint Online"
✔ Ensures secure authentication for real-time monitoring.
Step 2: Enable Unified Audit Logging
To enable real-time logging, verify that Audit Log Search is enabled:
Set-PnPAdminAuditLog -AuditLogEnabled $true
Write-Host " Audit Log Search is enabled"
✔ Required for capturing SharePoint Online activities.
Step 3: Fetch Real-time SharePoint Online Logs
Retrieve recent user actions, file access, and sharing events:
$StartDate = (Get-Date).AddMinutes(-15) # Monitor last 15 minutes
$EndDate = (Get-Date)
$logs = Search-UnifiedAuditLog -StartDate $StartDate -EndDate $EndDate -RecordType SharePointFileOperation -ResultSize 500
$logs | Select-Object CreationDate, UserIds, Operations, ObjectId | Format-Table -AutoSize
✔ Fetches last 15 minutes of SharePoint activity logs.
Step 4: Detect Suspicious Activities in Real-time
Filter logs for suspicious activities, like unauthorized access or file deletion:
$suspiciousLogs = $logs | Where-Object { $_.Operations -match "FileDeleted" -or $_.Operations -match "AccessDenied" }
if ($suspiciousLogs) {
Write-Host " Suspicious activities detected:"
$suspiciousLogs | Select-Object CreationDate, UserIds, Operations, ObjectId | Format-Table -AutoSize
} else {
Write-Host " No suspicious activities detected."
}
✔ Detects file deletions & unauthorized access.
Step 5: Send Real-time Alerts via Email
To notify the security team, send alerts using Power Automate or PowerShell Email:
$To = "security@yourdomain.com"
$From = "noreply@yourdomain.com"
$Subject = " SharePoint Security Alert: Unauthorized Activity Detected"
$Body = "Suspicious activities detected in SharePoint. Check logs immediately."
Send-MailMessage -To $To -From $From -Subject $Subject -Body $Body -SmtpServer "smtp.office365.com" -UseSsl
Write-Host " Alert sent to security team"
✔ Sends real-time security alerts via email.
Step 6: Automate Continuous Monitoring
To monitor SharePoint logs every 5 minutes, create a scheduled task:
$taskName = "SharePoint Real-time Monitoring"
$scriptPath = "C:\Scripts\SharePointMonitoring.ps1"
$action = New-ScheduledTaskAction -Execute "PowerShell.exe" -Argument "-File $scriptPath"
$trigger = New-ScheduledTaskTrigger -Once -At (Get-Date).AddMinutes(5) -RepetitionInterval (New-TimeSpan -Minutes 5) -RepetitionDuration (New-TimeSpan -Days 365)
Register-ScheduledTask -TaskName $taskName -Action $action -Trigger $trigger -User "SYSTEM" -RunLevel Highest
Write-Host " Real-time monitoring scheduled every 5 minutes."
✔ Ensures continuous SharePoint monitoring.
Step 7: Monitor Logs in Power BI
For visual insights, integrate real-time logs with Power BI:
1️⃣ Export logs to CSV
2️⃣ Import into Power BI
3️⃣ Create dashboards for activity monitoring
$logs | Export-Csv -Path "C:\Logs\SharePointActivity.csv" -NoTypeInformation
Write-Host " Logs exported for Power BI analysis"
✔ Provides real-time analytics & dashboards.