Know who is accessing externally shared files using Microsoft Cloudapp Security (MCAS) API
People are sharing files using Teams, Sharepoint or OneDrive for Business and that’s ok. That’s one of the collaboration feature these tools where built for. But what if people are sharing files externally, how can you track who is effectively accessing the shared files?
So first things first, I’m not going to cover the details of sharing policies of the above tools in this post, it is a topic for another discussion. Let’s assume you have configured the sharing policy in a semi-open way, so users can only share documents with guests already existing in your tenant.
At some point in time, your manager, client or the security officer asks you to create a report of all externally shared files. While this can be done using different reporting features in the o365 Admin Portals, it might be more interesting to know, which file is effectively accessed by who. Even more interesting could be the following question:
“who is accessing shared files, from a classified library? Can we get those events into Log Analytics?”
This is where the REST API of MCAS (Microsoft Cloud App Security) can jump in. We’ll see how in a minute. But first, let’s see how we can access the API. To access the API you have to generate an API key first. This is done through the admin portal of MCAS.
Go to: https://portal.cloudappsecurity.com
In the upper right corner, click the settings button
Navigate to Security Extentions / API tokens
Create a new API token (note it down somewhere safe, I prefer an Azure KeyVault)
Note the MCAS URL (refer to the API documentation link) -> e.g. yourtenantname.eu2.portal.cloudappsecurity.com
PowerShell Example
Ingest data into log analytics
Now as we got the Information, we need to ingest the data into Log Analytics. There are various PowerShell modules available from the community. I just wanted to show you the plain code as an example here.
It will take around 5 minutes to propagate the new custom log data into your workspace. The logs will then be searchable by the type: “MCAS_CL”.
Summary
In this post I showed you how to:
Get Secrets from Azure Key Vault
Get Information from MCAS API
Ingest the Information into a Log Analytics Workspace
You can get the full code as an time triggered Azure Function on github.com/drmiru.