SharePoint: How to Detect SP Group Membership Changes

Why It is Important

Timely detection of SharePoint Group Membership changes is critical for security. Group Membership changes can enable users to get access to sensitive data that they shouldn’t have, or even copy, modify, delete and distribute confidential information. Group Membership changes can be an indication of external or internal attackers attempting to exfiltrate sensitive data. Therefore, ongoing tracking of SharePoint Group Membership changes is crucial to minimizing the risk of data leaks and compliance violations.

Native Auditing

1. Navigate to Site Settings → Site Collection Administration → Site collection features → Choose “Reporting” → Press “Activate”.

2. Navigate to Site Settings → Site Collection Administration → Site collection audit settings → Mark “Editing Users and Permissions” events to audit in “List Libraries and Sites” settings.

3. Navigate to Site Settings → Site Collection Administration → Site collection audit settings → Set “Automatically trim the audit log for this site?” to “Yes” → Set trimming range time (30 days default) → Set the location you want to save the log before it will be trimmed → Click “OK”.

4. Navigate to Site Settings → Site Collection Administration → Audit log reports → Choose “Security Settings” report to view all permission changes made in your SharePoint.

5. Report example

   https://img.netwrix.com/landings/howtofriday/4/native-sharepoint-permissions_2015.png

Credits

Originally Posted - https://www.netwrix.com/how_to_detect_sharepoint_permission_changes.html