alert on External Sharing event

%3CLINGO-SUB%20id%3D%22lingo-sub-871688%22%20slang%3D%22en-US%22%3Ealert%20on%20External%20Sharing%20event%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-871688%22%20slang%3D%22en-US%22%3E%3CP%3EI'm%20trying%20to%20create%20an%20alert%20that%20will%20inform%20Security%20team%20on%20External%20Sharing%20event%20from%20Teams.%20I%20found%20that%20there%20are%20some%20controls%20over%20SharePoint%20and%20then%20some%20Activity%20Types%20related%20to%20sharing...%20but%20I%20don't%20know%20what%20each%20of%20this%20action%20means%20and%20how%20to%20narrow%20down%20to%20only%20'external%20sharing'%3F%3C%2FP%3E%3CP%3E-%20is%20there%20detailed%20documentation%20describing%20each%20Action%20Type%20for%20each%20App%3F%26nbsp%3B%3C%2FP%3E%3CP%3E-%20how%20distinguish%20between%20external%2Finternal%3F%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Ethx!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-871688%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ECAS%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3Epolicies%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESecurity%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3ESharing%20%26amp%3B%20Publishing%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-872553%22%20slang%3D%22en-US%22%3ERe%3A%20alert%20on%20External%20Sharing%20event%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-872553%22%20slang%3D%22en-US%22%3E%3CP%3ETeams%20is%20using%20SharePoint%20for%20file%20storage%2C%20so%20you%20need%20the%20SPO%20controls%2Factions.%20The%20list%20of%20events%20generated%20can%20be%20found%20for%20example%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsearch-the-audit-log-in-security-and-compliance%23sharing-and-access-request-activities%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fcompliance%2Fsearch-the-audit-log-in-security-and-compliance%23sharing-and-access-request-activities%3C%2FA%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIn%20MCAS%2C%20you%20can%20use%20the%20%22Access%20level%22%20controls%20as%20detailed%20here%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fdata-protection-policies%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fcloud-app-security%2Fdata-protection-policies%3C%2FA%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

I'm trying to create an alert that will inform Security team on External Sharing event from Teams. I found that there are some controls over SharePoint and then some Activity Types related to sharing... but I don't know what each of this action means and how to narrow down to only 'external sharing'?

- is there detailed documentation describing each Action Type for each App? 

- how distinguish between external/internal? 

 

thx!

1 Reply

Teams is using SharePoint for file storage, so you need the SPO controls/actions. The list of events generated can be found for example here: https://docs.microsoft.com/en-us/microsoft-365/compliance/search-the-audit-log-in-security-and-compl...

 

In MCAS, you can use the "Access level" controls as detailed here: https://docs.microsoft.com/en-us/cloud-app-security/data-protection-policies