When collaborating in SharePoint and OneDrive, you might notice the following known behaviors.
Duplicate or Multiple Incident Generation
When you want to add a file or folder or invite new collaborators, the SharePoint Add-in or App doesn’t process this event to new collaborators. To process and monitor this event, you must call the Management Activity API.
McAfee depends on two event monitoring APIs to track user activity in Office 365:
- Management Activity API to track all audit logs for Activity Monitoring and UEBA functionality.
- SharePoint Add-in/App-based event monitoring for Near Real-Time DLP.
When collaborating in SharePoint and OneDrive, duplicate or multiple incidents are generated for multiple tenants due to these reasons:
- When a file/folder is shared with collaborators for the first time (by using the option 'Specific People' in the sharing window), both Management Activity API and SharePoint Add-in will send events resulting in duplicate incidents.
- When a collaborator is invited on a file/folder that was already shared at least once with other collaborators, only Management Activity API sends the activity feed/event and thus there will not be any duplicate incidents.
Office 365 Handle File Lock Error
When a sensitive file is uploaded, a DLP policy is triggered, and by default, an incident is generated in MVISION Cloud. For example, the response action quarantine is executed but the status of quarantine is failed due to Office 365 file is locked and retry after 15 minutes to check if the file is unlocked.
DLP Policies for SharePoint using AND Conditions
When you create a DLP policy for SharePoint using AND conditions in the following ways:
- Using a collaboration rule from:* to:*, except for collaboration to internal domains.
- Using content-based rule keyword matching, such as the keyword "confidential" in the file.
You may expect the policy to detect a file that includes the keyword "confidential" only when a file is shared with an external user. However, just uploading the file generates an incident. This happens because when a file is uploaded, it is by default collaborated with the default groups (Owners, Members, and Visitors), so it generates an incident.
We recommend that you use a second OR exception rule, to exclude the names of these specific groups in the DLP policy. The DLP policy is working as expected. It does a string comparison of collaborators, and because the strings of the group names were not explicitly excluded, there is a match. Changing the policy will then provide the expected behavior.
- Exception rule: Use collaboration from: * to *members, *visitors,*owners Role: Any.
NOTE: if you use the non-English language setting in your Office 365 tenant, these three groups should be described as names of the language, such as *メンバー, *閲覧者, *所有者 in Japanese.
Office 365 SharePoint File Tag Error
SharePoint Classification Rule doesn't support any file tag name or value having special characters such as @ = _ -. : & % * # $ including space between words in the file tag. Also, any other special characters that are not listed here are not recommended to use as the behavior could be similar. If any special characters or space between words are allowed, then the Microsoft O365 API call is failing. Also, the file tags starting with numbers are not supported.