SharePoint Audit Log Event ID 28

SourceSharePoint (LOGbinder SP)
Audit FlagSecurityChange
Windows Security Log
 • Subcategory
Object Access
 • Application Generated
Type Success

28: SharePoint group member removed

This is an event from SharePoint audit event from LOGbinder SP generated by Audit Flag  SecurityChange.

On this page

A member was removed from a SharePoint group (see event ID 25 for more information on SharePoint groups).  This is an important event since members receive whatever permissions are assigned to the group. If a group is deleted at the same, time the group name may not be available. However the Group ID can be used to correlate to event ID 26 (SharePoint group deleted).

Free Security Log Resources by Randy

Description Fields in 28

  • Occurred: this is the date and time when SharePoint recorded the event to the internal SharePoint audit log and may be earlier than the date/time in the header of this event which reflects when LOGbinder SP wrote the event to Windows event log
  • Site: This is the URL of the site generating this event
  • User: name of the user who performed the action
  • Group
    • ID: The group identifier internal to SharePoint
    • Name: The group name in SharePoint (will not be available if the group is deleted)
  • Member
    • ID: The member identifier internal to SharePoint
    • Name: Name of the member in SharePoint

Setup PowerShell Audit Log Forwarding in 4 Minutes


Where Does This Event Come From?

This Event Is Produced By

Which Integrates with Your SIEM

Examples of 28

SharePoint group member removed
Occurred: 11/22/2011 12:07:11 AM
Site: http://sp2010-sp
User: System Account
  ID: 27
  Name: n/a
  ID: 17
  Name: Jack Striker

Top 10 Windows Security Events to Monitor

Free Tool for Windows Event Collection


Additional Resources