Response rules to Quarantine Data at Rest have been configured in Enforce, and incidents occur as expected.

However, the response actions are not being fulfiled and the incident history shows "REST ACTION FAILED".

Despite this, the Grafana dashboard shows a successful ACTION ACK from the CloudSOC was received by the Cloud Detector.

[From Splunk output from customer Tenant, for failed Response Rule action]

2019-08-30 13:48:34,788-dlp-INFO-send_ack-Received args={'app_name': 'Office 365', 'actions': ['NOTIFY_DLP'], 'queue': 'dlp_ack_queue', 'tenantdb': u'CUSTOMER_NAME', 'dlp_context': {'transactionId': 'GUID-GUID-GUID-GUID-GUIDGUID', 'actionsTaken': [{'action': u'quarantine', 'timestamp': '2019-08-30T13:48:34.390934Z', 'result': 'failure'}]}, 'tenant_key': u'CUSTOMER_NAME'}

• Cloud Detection Service
• CloudSOC (CASB Audit)
• O365 Securlet

The CloudSOC has its own requirements for quarantine setup and the options are part of the O365 Securlet configuration. Unless the path in the "Admin's OneDrive URL" are set properly, this action will not take place.

The CloudSOC and SharePoint(or OneDrive) admins need to configure the OneDrive admin URL in the CloudSOC console. This will also apply to SharePoint quarantine and allow actions to take place.