external_access_events
Surface external file accesses from enterprise admin logs, flagging downloads and previews by users outside your organization to identify potential data leakage.
Instructions
Surface external file access (DOWNLOAD / PREVIEW) from enterprise admin_logs.
Enterprise-wide (events stream): over the window, flags each access whose
actor (created_by.login) is outside the org domain allowlist — an
external party, or an anonymous open-link visitor (no login) — and whether it
came via a shared link. Aggregates to the top externally-accessed files and
the top external accessors, so an admin can spot unusual outbound data pulls.
Args:
since_hours: Look-back window in hours (default 24).
max_events: Cap on DOWNLOAD/PREVIEW events scanned (default 5000); the
result's capped flag is true when more existed (never silently
truncated).
top: How many top files / accessors to return (default 20).
created_by_logins: Comma-separated accessor logins to trace (empty = all).
When set, switches to DLP-tracing mode (see below).
Returns window_hours, events_scanned, capped,
external_access_count, via_shared_link, top_external_accessors
(login + count + bytes), and top_externally_accessed_files (item id/name/
owner + external-access count). On failure returns {"error": ...} (incl.
needs-login for an expired OAuth session).
Notes:
via_shared_linkcounts ALL scanned accesses that went through a shared link (internal and external), not just external ones.Events are scanned oldest-first from the window start. When
cappedis true the aggregates reflect only the scanned (earliest) slice, NOT the full window — raisemax_eventsfor a complete picture.DLP tracing (
created_by_loginsset): scans up to the wider ofmax_eventsand 50000 events (the accessor may sit anywhere in the window) but keeps only that accessor's events, so the answer to "which files did this account pull" is exact and bounded. The result reportsevents_matched(notevents_scanned— this mode doesn't track the scanned total; judge coverage bycapped),filtered_loginsandmatched_events(per access: item id/name, owner, size bytes+GB, created_at, event_type, accessor, via_shared_link); the aggregate is scoped to the filtered accessor(s).cappedtrue means the window was not fully scanned (raisemax_events).
Input Schema
| Name | Required | Description | Default |
|---|---|---|---|
| top | No | ||
| max_events | No | ||
| since_hours | No | ||
| created_by_logins | No |