Skip to main content
Skyhigh Security

About the Skyhigh CASB DLP Monitor Add-in

DLP Monitor is a provider-hosted SharePoint Add-in from Skyhigh CASB. Provider hosted Add-ins have external components such as web application, database hosted externally from SharePoint Online subscription. More details about types of SharePoint Add-ins are here.

The DLP Monitor Add-in from Skyhigh CASB is backed by a web-application (owned by Skyhigh CASB) hosted in Microsoft Azure.

Download the Skyhigh CASB DLP Monitor Add-in from Download the SharePoint/OneDrive Add-in App

Why is this Add-in required?

This Add-in is used to register SharePoint remote event receivers for SharePoint and OneDrive sites to completely manage the following workflows:

  • Detect sensitive content being uploaded/updated in OneDrive and SharePoint and perform remediation actions specified in DLP policies.
  • Detect the activity of sharing sensitive content internally and externally (outside the organization).
  • Perform remediation actions, such as modifying sharing permissions, revoking collaboration, and removing public links on files.

SharePoint remote event receivers enable monitoring of file upload and sharing activity in near real-time. More information about remote event receivers can be found here.

Role of the Add-in

When an Office 365 admin installs and opens the Add-in, the admin is redirected to the Azure web application hosted by Skyhigh CASB. During the redirect, Office 365 passes the necessary authentication and authorization context to Skyhigh CASB Azure web application in the form of an access token.

Skyhigh CASB uses this access token to retrieve and list all SharePoint sites in the tenant so that admin can select a few SharePoint sites for event monitoring. Once selected for event monitoring, Skyhigh CASB uses the access token obtained in the above step to register remote event listeners for those SharePoint sites selected by the Office 365 admin.

As a result, when a user performs activity in SharePoint (in the selected sites only), Office 365 sends an event (HTTP) to Skyhigh CASB’s remote event receivers hosted in Azure.

Skyhigh CASB Azure web-app fetches any additional metadata for that event and sends the necessary information to Skyhigh CASB Cloud DLP which performs DLP check depending on the event type and DLP policies configured in the corresponding Skyhigh CASB tenant.

Installing the Add-in

Before installing the Add-in, an App Catalog site has to be created in the Office 365 tenant. Then the Add-in is uploaded in the App Catalog site. The Add-in can be installed in any SharePoint site, preferably in a site exclusively owned by Office 365 admin.

Permissions Required for the Add-in

During installation, Add-in prompts for the following permissions:

clipboard_ef7ac74028ea9eb1f6cd12acedc18e3d6

These permissions are required for registering remote event receivers, on-site collections, sites, and lists owned by any user in that Office 365 tenant.

NOTE: Skyhigh CASB will not modify any content in SharePoint or OneDrive through this Add-in. Any remediation actions such as deleting a file with sensitive content, modifying permissions on a shared folder are performed using SharePoint Online REST APIs. The OAuth access token obtained while enabling API access for OneDrive and SharePoint from Skyhigh CASB tenant, is used to invoke these REST APIs.

Full control permissions requested by the Add-in are used only for registering event listeners for site collections, sites, and lists.

Event Listeners Registered by Skyhigh CASB

Skyhigh CASB registers following event listeners to the selected sites in SharePoint and OneDrive:

  • ItemAdded
  • ItemUpdated
  • ItemCheckedIn
  • ItemCheckedOut
  • ItemFileMoved
  • WebProvisioned
  • ListAdded
  • RoleAssignmentAdded
  • Was this article helpful?