DLP Monitor is a provider-hosted SharePoint Add-in from Skyhigh CASB. Provider hosted Add-ins have external components such as web application, database hosted externally from SharePoint Online subscription. More details about types of SharePoint Add-ins are here.
The DLP Monitor Add-in from Skyhigh CASB is backed by a web-application (owned by Skyhigh CASB) hosted in Microsoft Azure.
Download the Skyhigh CASB DLP Monitor Add-in from Download the SharePoint/OneDrive Add-in App.
Why is this Add-in required?
This Add-in is used to register SharePoint remote event receivers for SharePoint and OneDrive sites to completely manage the following workflows:
- Detect sensitive content being uploaded/updated in OneDrive and SharePoint and perform remediation actions specified in DLP policies.
- Detect the activity of sharing sensitive content internally and externally (outside the organization).
- Perform remediation actions, such as modifying sharing permissions, revoking collaboration, and removing public links on files.
SharePoint remote event receivers enable monitoring of file upload and sharing activity in near real-time. More information about remote event receivers can be found here.
Role of the Add-in
When an Office 365 admin installs and opens the Add-in, the admin is redirected to the Azure web application hosted by Skyhigh CASB. During the redirect, Office 365 passes the necessary authentication and authorization context to Skyhigh CASB Azure web application in the form of an access token.
Skyhigh CASB uses this access token to retrieve and list all SharePoint sites in the tenant so that admin can select a few SharePoint sites for event monitoring. Once selected for event monitoring, Skyhigh CASB uses the access token obtained in the above step to register remote event listeners for those SharePoint sites selected by the Office 365 admin.
As a result, when a user performs activity in SharePoint (in the selected sites only), Office 365 sends an event (HTTP) to Skyhigh CASB’s remote event receivers hosted in Azure.
Skyhigh CASB Azure web-app fetches any additional metadata for that event and sends the necessary information to Skyhigh CASB Cloud DLP which performs DLP check depending on the event type and DLP policies configured in the corresponding Skyhigh CASB tenant.
Installing the Add-in
Before installing the Add-in, an App Catalog site has to be created in the Office 365 tenant. Then the Add-in is uploaded in the App Catalog site. The Add-in can be installed in any SharePoint site, preferably in a site exclusively owned by Office 365 admin.
Permissions Required for the Add-in
During installation, Add-in prompts for the following permissions:
These permissions are required for registering remote event receivers, on-site collections, sites, and lists owned by any user in that Office 365 tenant.
NOTE: Skyhigh CASB will not modify any content in SharePoint or OneDrive through this Add-in. Any remediation actions such as deleting a file with sensitive content, modifying permissions on a shared folder are performed using SharePoint Online REST APIs. The OAuth access token obtained while enabling API access for OneDrive and SharePoint from Skyhigh CASB tenant, is used to invoke these REST APIs.
Full control permissions requested by the Add-in are used only for registering event listeners for site collections, sites, and lists.
Event Listeners Registered by Skyhigh CASB
Skyhigh CASB registers following event listeners to the selected sites in SharePoint and OneDrive:
Known Limitation and Work Around
SharePoint add-in apps limitation and work around for NRT flow
Skyhigh CASB system will not process the events generated by the SharePoint Add-in app/s. Generally. these apps are used to migrate local files to SharePoint online.
Microsoft pushes a lot of changes frequently to the Document Libraries and these activities are associated with the user called app@sharepoint. These events are unnecessary noise, so all events originated from app@sharepoint user are dropped. Generally, the files uploaded through any add-in app in SharePoint will use the user as app@sharepoint, and the activities from this user will be blocked. Therefore, Skyhigh in NRT flow for DLP will not process the files uploaded to SharePoint via these add-in apps.
Run the ODS scan against the SharePoint site/s after the add-in app job is completed to migrate the local files to SharePoint.