Skip to main content
This guide walks you through connecting SharePoint Online to TruU TOTAL for persona generation and threat detection.

Overview

TOTAL ingests document and collaboration activity events from SharePoint Online via the Office 365 Management Activity API. We poll the activity feed on a configurable interval to collect, normalize, and correlate file access, sharing, permission changes, and site administration events across your SharePoint environment. Connector Type: Polling

Prerequisites

  • Microsoft Entra ID (Azure AD) access with Application Administrator or Global Administrator role
  • SharePoint Online enabled with active sites and document libraries
  • Microsoft 365 E3/E5 or equivalent license
  • Approximately 20 minutes to complete setup

Step 1: Register an Application in Entra ID

  1. Sign in to the Azure Portal
  2. Navigate to Microsoft Entra IDApp registrations
  3. Click New registration
  4. Enter:
    • Name: TruU TOTAL - SharePoint Integration
    • Supported account types: Accounts in this organizational directory only
    • Redirect URI: Leave blank
  5. Click Register
  6. On the app’s Overview page, copy:
    • Application (client) ID
    • Directory (tenant) ID
  7. Paste the Client ID and Tenant ID into the TruU Portal

Step 2: Create a Client Secret

  1. In your App Registration, go to Certificates & secrets
  2. Click New client secret
  3. Enter:
    • Description: TOTAL SharePoint integration
    • Expires: Choose your organization’s preferred expiry
  4. Click Add
  5. Immediately copy the secret Value — it will only be shown once
  6. Paste the Client Secret value into the TruU Portal

Step 3: Grant API Permissions

  1. In the App Registration, click API permissions
  2. Click Add a permissionOffice 365 Management APIsApplication permissions
  3. Add the following permission:
    • ActivityFeed.Read — Read activity data for your organization
  4. Additionally, add Microsoft GraphApplication permissions:
    • Sites.Read.All — Read SharePoint site metadata for context enrichment
    • User.Read.All — Read user profiles for identity resolution
  5. Click Add permissions
  6. Click Grant admin consent for [Your Organization]
  7. Click Yes to confirm
All permissions are read-only. TOTAL cannot create, modify, or delete sites, documents, or permissions.

Step 4: Enable the Activity Feed Subscription

TOTAL will automatically start a subscription to the Audit.SharePoint content type via the Management Activity API. This is handled during the Test Connection step in the TruU Portal — no manual action is required on your part.

Step 5: Verify Connectivity

Once credentials are entered in the TruU Portal:
  1. Click Test Connection — TOTAL will validate credentials and start the activity feed subscription
  2. If successful, you’ll see a confirmation with recent SharePoint activity detected
  3. If configured, TOTAL will run a historical data pull (up to 7 days) to seed user personas

Security & Privacy

What We Access

  • Read-only access to SharePoint activity logs via the Office 365 Management Activity API
  • File access, modification, sharing, and deletion events (metadata only — not file contents)
  • Site and permission administration events
  • All queries use timestamp filtering — we only fetch new events since the last poll

What We Don’t Have Access To

  • File contents or document text
  • Write access to SharePoint sites or libraries
  • Ability to modify permissions, sharing settings, or site configuration
  • Access to SharePoint admin center functions

Updating or Rotating Credentials

  1. In Azure Portal, go to Entra IDApp registrationsTruU TOTAL - SharePoint Integration
  2. Go to Certificates & secrets
  3. Click New client secret (create the new one before deleting the old one)
  4. Copy the new secret value and paste it in the TruU Portal
  5. After TOTAL confirms the new secret is active, delete the old secret

Revoke Access

To immediately remove TOTAL’s access:
  1. Option A — Disable in the TruU Portal
  2. Option B — Remove the App Registration’s API permissions in Entra ID
  3. Option C — Delete the App Registration entirely

Rate Limiting & Scalability

Office 365 Management Activity API Rate Limits

ParameterLimit
Management Activity API60,000 requests per minute per tenant
Content blob availability5–15 minutes after event occurrence
Content retention7 days (blobs expire after 7 days)
Throttle responseHTTP 429 with Retry-After header

Ingestion Capacity

At ~1,000 req/s (60K req/min), the Management Activity API provides massive headroom. A large enterprise with 100K+ users typically generates 500K–5M SharePoint events/day. The practical throughput constraint is Microsoft’s content blob delivery lag (5–15 minutes), not the API rate limit itself. TOTAL processes content blobs in parallel as they become available.

Event Freshness

SharePoint events are delivered via content blobs that become available 5–15 minutes after the event occurs. TOTAL polls on a configurable interval (default: 5 minutes). End-to-end latency is typically 10–20 minutes.

Resilience

TOTAL uses cursor-based ingestion with at-least-once delivery. The polling cursor only advances after events are successfully collected, normalized, and published. If any step fails, the cursor stays put and the next poll replays from the last known-good position. No events are lost. Transient failures (429s, 5xx, timeouts) are retried automatically with exponential backoff. After 5 consecutive failures, the connector self-pauses and can be re-enabled from the TruU Portal. Content blobs are retained for 7 days — any outage shorter than that results in zero data loss. For outages exceeding 7 days, events older than 7 days are unrecoverable.

Connector Design

Each connector polls on an independent, configurable interval. Events are batched and published in per-user order to preserve sequence integrity for persona building. Connector workers are stateless and scale horizontally. All polling intervals, page sizes, and batching parameters are tunable from the TruU Portal.

Part 2: Event Types & Data Schema

Signal Classification

Signal ClassTOTAL Category
Productivity & SaaSActivity, Data Access

Event Types We Ingest

TOTAL extracts the following categories of events from the SharePoint activity feed. Every event is tied to a specific UserId (human identity). The Office 365 Management Activity API provides granular event types across file operations, sharing, and access control — all attributable to the user who performed the action.

File Operation Events

OperationDescriptionTOTAL Classification
FileAccessedUser accessed a fileData Access
FileDownloadedUser downloaded a fileData Access
FileUploadedUser uploaded a fileData Access
FileModifiedUser modified a fileData Access
FileDeletedUser deleted a fileData Access
FileDeletedFirstStageRecycleBinFile moved to first-stage recycle binData Access
FileDeletedSecondStageRecycleBinFile permanently deleted from recycle binData Access
FileRestoredUser restored a file from recycle binData Access
FileMovedUser moved a file between locationsData Access
FileRenamedUser renamed a fileData Access
FileCopiedUser copied a fileData Access
FileCheckedOutUser checked out a fileData Access
FileCheckedInUser checked in a fileData Access
FilePreviewedUser previewed a fileData Access
FileSyncDownloadedFullUser synced a full file downloadData Access
FileSyncUploadedFullUser synced a full file uploadData Access
FileVersionsAllDeletedAll file versions deletedData Access

Sharing Events

OperationDescriptionTOTAL Classification
SharingSetUser shared a file or folderData Access
SharingRevokedUser revoked sharing on a resourceData Access
SharingInvitationCreatedSharing invitation sentData Access
SharingInvitationAcceptedSharing invitation acceptedData Access
AnonymousLinkCreatedAnonymous sharing link createdData Access
AnonymousLinkUsedAnonymous sharing link accessedData Access
AnonymousLinkRemovedAnonymous sharing link removedData Access
CompanyLinkCreatedCompany-wide sharing link createdData Access
SecureLinkCreatedSecure sharing link createdData Access
AddedToSecureLinkUser added to a secure sharing linkData Access

Site Administration Events

OperationDescriptionTOTAL Classification
SiteCollectionAdminAddedUser added as site collection adminAdmin
SiteCollectionAdminRemovedUser removed as site collection adminAdmin
MemberAddedUser added to a SharePoint groupAdmin
MemberRemovedUser removed from a SharePoint groupAdmin

Permission Events

OperationDescriptionTOTAL Classification
SitePermissionsModifiedUser’s site permissions changedAdmin
SharingInheritanceBrokenUnique permissions set on a resource for a userAdmin
SharingInheritanceResetPermissions inheritance restored for a userAdmin

DLP & Compliance Events

OperationDescriptionTOTAL Classification
DLPRuleMatchUser’s action triggered a DLP policy rule matchAlert
SensitivityLabelAppliedUser applied a sensitivity label to a documentAdmin
SensitivityLabelRemovedUser removed a sensitivity label from a documentAdmin
SensitivityLabelChangedUser changed a sensitivity label on a documentAdmin

Sample Source Event (Office 365 Management Activity API — File Downloaded)

{
  "CreationTime": "2026-03-15T11:30:45.000Z",
  "Id": "e5f6a7b8-c9d0-1234-efgh-567890123456",
  "Operation": "FileDownloaded",
  "OrganizationId": "org-id-001",
  "RecordType": 6,
  "UserKey": "user-aad-id-001",
  "UserType": 0,
  "Workload": "SharePoint",
  "ClientIP": "198.51.100.42",
  "UserId": "jane.doe@acme.com",
  "EventSource": "SharePoint",
  "ItemType": "File",
  "Site": "https://acme.sharepoint.com/sites/engineering",
  "SiteUrl": "https://acme.sharepoint.com/sites/engineering",
  "SourceRelativeUrl": "Shared Documents/Confidential",
  "SourceFileName": "architecture-review-2026.docx",
  "SourceFileExtension": "docx",
  "UserAgent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
  "MachineDomainInfo": "ACME-WS-001",
  "MachineId": "machine-id-001",
  "ObjectId": "https://acme.sharepoint.com/sites/engineering/Shared Documents/Confidential/architecture-review-2026.docx",
  "ListId": "list-id-001",
  "ListItemUniqueId": "item-id-001",
  "CorrelationId": "corr-id-001",
  "CustomUniqueId": true,
  "SensitivityLabelId": "label-confidential-001",
  "SensitiveInfoTypeData": ""
}

TOTAL Normalized Event

{
  "event_id": "e5f6a7b8-c9d0-1234-efgh-567890123456",
  "event_type": "DATA_ACCESS",
  "source": "SHAREPOINT",
  "signal_type": "PRODUCTIVITY",
  "domain_id": "customer-domain-001",
  "tuid": "tuid-jane-doe-001",
  "timestamp": "2026-03-15T11:30:45.000Z",
  "payload": {
    "event_id": "e5f6a7b8-c9d0-1234-efgh-567890123456",
    "user": "jane.doe@acme.com",
    "action": "FileDownloaded",
    "site": "engineering",
    "file_name": "architecture-review-2026.docx",
    "file_extension": "docx",
    "file_path": "Shared Documents/Confidential",
    "ip_address": "198.51.100.42",
    "device": "ACME-WS-001",
    "sensitivity_label": "label-confidential-001"
  },
  "raw_metadata": {
    "platform_event_id": "e5f6a7b8-c9d0-1234-efgh-567890123456",
    "operation": "FileDownloaded",
    "workload": "SharePoint",
    "record_type": 6,
    "user_id": "jane.doe@acme.com",
    "user_key": "user-aad-id-001",
    "client_ip": "198.51.100.42",
    "user_agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36",
    "site_url": "https://acme.sharepoint.com/sites/engineering",
    "source_relative_url": "Shared Documents/Confidential",
    "source_file_name": "architecture-review-2026.docx",
    "source_file_extension": "docx",
    "item_type": "File",
    "machine_domain": "ACME-WS-001",
    "machine_id": "machine-id-001",
    "sensitivity_label_id": "label-confidential-001",
    "correlation_id": "corr-id-001",
    "created_at": "2026-03-15T11:30:45.000Z",
    "source_platform": "sharepoint"
  },
  "platform_event_id": "e5f6a7b8-c9d0-1234-efgh-567890123456",
  "platform_event_source": "OFFICE365_MANAGEMENT_ACTIVITY_API"
}

How This Feeds TOTAL

Persona Building

SharePoint events define a user’s document access and data interaction pattern — which sites they visit, what files they access, how frequently they download or share documents, and what sensitivity levels they typically interact with. This forms the data access baseline of each persona, anchored to job function and routine.

Anomaly Detection

TOTAL’s behavioral engine uses SharePoint events to detect:
  • Data exfiltration indicators — bulk file downloads, unusual download volumes, or access to sensitive documents outside normal patterns
  • Sharing anomalies — creation of anonymous links to sensitive documents, sharing with external domains not in the user’s baseline
  • Permission escalation — unexpected site admin additions or permission level changes
  • Sensitivity label manipulation — removal or downgrade of sensitivity labels that may indicate an attempt to circumvent DLP controls
  • Access pattern drift — users accessing sites or document libraries outside their normal scope, indicating potential lateral movement or insider threat preparation

Breach Lifecycle Coverage

SharePoint events provide primary coverage across the Intent Exposed stage. Document access patterns are a core predictive indicator for exposing early intent and preparation — when a user begins accessing resources outside their normal routine, it often signals the earliest observable phase of an insider threat or compromised account.