Share via

Purview report to see how downloaded files from specific SharePoint site

Mcintosh, Rebecca 141 Reputation points
2026-04-23T12:43:02.3166667+00:00

Hello!

I am trying to use Purview to generate a report of all downloaded files from a specific SharePoint site but have had no luck with results. I know that I downloaded files to my PC yesterday but my report is still showing zero results.

Can someone advise me what I should be entering into my search to get this data out?

  • Does the ObjectId need to be in a specific format? I'm currently entering my site URL. Does it need to specific my document library as well?
  • What Activities - friendly names should I be using (I have been using Downloaded File).
  • Do I need to input an Activities - operation name as well? Do I need to add in a Record Type?
Microsoft Security | Microsoft Purview
0 comments

Answer accepted by question author

  1. SAI JAGADEESH KUDIPUDI 2,625 Reputation points Microsoft External Staff Moderator
    2026-04-24T01:44:03.4466667+00:00

    Hi Mcintosh, Rebecca,

    Thanks for your question — I understand how confusing this can be when the audit results don’t match what you expect. Based on what you’ve described, the behavior you’re seeing is typically related to how Microsoft Purview Audit captures and filters SharePoint download events.

    1. Use the correct activity (operation name)
      Instead of relying on the friendly label “Downloaded file”, make sure you’re filtering on the actual operation:

    FileDownloaded

    This is the value stored in the audit logs and is required for accurate results.

    1. Avoid using Site URL in ObjectId
      The ObjectId field expects a full file path, not a site URL. For example:
    https://tenant.sharepoint.com/sites/SiteName/Shared Documents/file.xlsx

    If your goal is to report on all downloads from a site, it’s best to:

    Leave ObjectId empty, and

    Filter results using SiteUrl (if available) or post-process the exported data

    Using just the site URL in ObjectId will return zero results because audit entries are recorded at the file level, not the site level.

    1. Include the correct Record Type
      Make sure your query includes:

    SharePointFileOperation

    This ensures you're targeting the correct workload.

    1. Validate time range and ingestion delay
      Audit logs are not always immediate. There can be a delay before events appear.

    Try expanding your time range (e.g., last 24–48 hours)

    Then narrow it down once you confirm data is returning

    To quickly validate things are working, I’d suggest starting with a broad query:

    Activity: FileDownloaded

    Record Type: SharePointFileOperation

    Time range: Last 24–48 hours

    No ObjectId filter

    Once you see results, you can refine by user, file path, or site.
    The key point is that ObjectId cannot be used with just a SharePoint site URL, and the correct operation (FileDownloaded) must be used instead of the friendly name. Starting with a broader query and then narrowing it down is the most reliable way to retrieve download activity.

    If you still don’t see results after trying the above, it would be worth checking audit log availability and permissions in your tenant.

    Microsoft documentation for reference

    Hope this helps. If you have any follow-up questions, please let me know. I would be happy to help.
    Please do not forget to "Accept Answer" and "up-vote" wherever the information provided helps you, as this can be beneficial to other community members.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Q&A Assist
    2026-04-23T12:43:16.2566667+00:00
    AI generated content. This question contains an answer created with AI from Q&A Assist. Learn more

    Use an Audit search in Data Security Investigations and filter on the Downloaded file activity for the specific site.

    Configuration in the Audit search page:

    1. Date and time range (UTC)
      • Set Start and End to include the time when the downloads occurred (for example, yesterday plus some buffer before/after).
    2. Activities
      • In Activities – friendly names, select Downloaded file.
      • Activities – operation names is optional; it is not required if the friendly name is already selected.
      • A Record Type value is not required in the Data Security Investigations audit search flow described in the documentation.
    3. Users (optional)
      • If the goal is to see only downloads performed by a specific person, add that user under Users.
    4. ObjectID (file, folder, or site)
      • Enter the full site path in ObjectID (file, folder, or site) to scope the search to that SharePoint site.
      • The documentation states this field accepts a file, folder, or site path; a site URL is valid and does not have to include a specific document library. Use the full site URL as it appears in SharePoint.
    5. Keyword search (optional)
      • Leave blank unless there is a need to filter further by specific keywords in the audit log entries.

    After configuring:

    1. Select Search to run the audit query.
    2. Review the results grid at the bottom of the Audit page to confirm that Downloaded file events for that site and date range are returned.

    If results still show zero:

    • Confirm the date/time range is correct and in UTC.
    • Ensure the downloads occurred in SharePoint/OneDrive (browser or sync client) so they are logged as Downloaded file activities.
    • Verify that the ObjectID value is exactly the site path (no typos, correct URL).

    References:

Your answer

Answers can be marked as 'Accepted' by the question author and 'Recommended' by moderators, which helps users know the answer solved the author's problem.