Office 365 Securlet Policy does not Record the Correct Modification Details
search cancel

Office 365 Securlet Policy does not Record the Correct Modification Details


Article ID: 176282


Updated On:


CASB Security Standard CASB Security Premium CASB Security Advanced CASB Audit CASB Gateway CASB Gateway Advanced CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS


The securlet activity details of an uploaded, modified or shared file will show that the document owner performed the activity and NOT the actual person that performed the action.  The timestamp of the happened at reported in CASB may also show the timestamp of when CASB receieved and processed the detail from the Delta API and NOT when the event took place.

Symptom: UserA (Owner) creates and shares a file with UserB.  UserB edits the file and adds content that violates a defined policy.  When the policy violation is reported in CloudSOC, UserA (the owner) is the reported user that violated the policy and NOT UserB, that modified the content. The violation should be reported as UserB.

Symptom: Shared with timestamp on a file that was shared has the same timestamp from when the file was added.


Both symptoms are known and expected limitations of the Microsoft Graph API.  The Delta API does not provide who the actor is in all cases . All the API can provide is who the owner is.

With certain event CloudSOC can only report when the owner is, the Delta API did not update the user that performed the action.

Broadcom is constantly working with Microsoft to make sure best practices are followed. Broadcom re-verified this with MSFT as recent as January 2024.



Possible options to gather supporting details:

  • Verify activity with the CloudSOC gatelet for o365.  Delta API has no impact.
  • File sharing will generate an email notification with the correct user.
  • Look for possible supporting detail such as who accessed a file.

The Management API activity maybe inconsistant CloudSOC does not rely on it.


Additional Information

Example: User Mike updated\replaced footest111.tye8.txt owned by Admin.

  • Notice in red the securelet (API ) reported Admin updated (incorrect).
  • Notice in green the MGMT API reported Mike added the file. (correct).  Notice the latitude and logitude for API that shows it was MGMT API.
  • Notice in blue the Gatelet reported Mike (correct)
  • Notice below in Turquoise that the API reported that Mike sent the MSFT email to the recipient (correct).
  • Note... Sharing Email is generated by MSFT with the sharing link automantically. Mike did not manually send an email.