This detection rule monitors for the creation or updating of anonymous sharing links in SharePoint Online or OneDrive for Business environments. These links pose a significant security threat as they enable external users to access shared content without requiring any form of authentication. The ease with which such links can be shared could potentially allow unauthorized access to sensitive information. The rule leverages Splunk to extract relevant logs and filters for events tied to 'AnonymousLinkCreated' or 'AnonymousLinkUpdated'. By analyzing these events, it can identify instances where links have been created or modified, allowing security teams to investigate potential misuse and protect sensitive data. The logic incorporates environment characteristics like user information, source IP, and resource identifiers which are useful for auditing and ensuring appropriate management of sharing policies regarding confidential data. Detecting such activities is critical to guard against data exfiltration and unauthorized access to corporate resources.