Office 365 Securlet Policy does not Record the Correct Modification Details
search cancel

Office 365 Securlet Policy does not Record the Correct Modification Details


Article ID: 176282


Updated On:


CASB Security Standard CASB Security Premium CASB Security Advanced CASB Audit CASB Gateway CASB Gateway Advanced CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS


The securlet activity details of an uploaded, modified or shared file will show that the document owner performed the activity and NOT the actual person that performed the action.  The timestamp of the happened at reported in CASB may also show the timestamp of when CASB receieved and processed the detail from the Delta API and NOT when the event took place.

Symptom: UserA (Owner) creates and shares a file with UserB.  UserB edits the file and adds content that violates a defined policy.  When the policy violation is reported in CloudSOC, UserA (the owner) is the reported user that violated the policy and NOT UserB, that modified the content. The violation should be reported as UserB.

Symptom: Shared with timestamp on a file that was shared has the same timestamp from when the file was added.


Both symptoms are known and expected limitations of the Microsoft Graph API.  The Delta API does not provide who the actor is in all cases . All the API can provide is who the owner is.

With certain event CloudSOC can only report when the owner is, the Delta API did not update the user that performed the action.

Possible options to gather supporting details:

  • Verify activity with the CloudSOC gatelet for o365.  Delta API has no impact.
  • File sharing will generate an email notification with the correct user.
  • Look for supporting detail such as who accessed a file.