This detection rule monitors instances of document sharing in Microsoft 365 to identify when documents are shared externally, potentially posing a security risk to sensitive information. The rule specifically focuses on SharePoint, logging events when documents are given secure links for external access. The objective is to ensure that sensitive documents are not shared with unauthorized users or groups. The rule defines various expected results based on specific sharing events, providing compliance checks against expected behaviors. Each test captures event details like the sharing operation, document metadata, user information, and whether the sharing was legitimate or unauthorized. In instances where sensitive documents are shared without proper permissions, alerts will be raised for further review. Users responsible for handling these documents must verify against sensitive metadata to confirm compliance with sharing policies.