The securlet activity details of an uploaded, modified or shared file will show that the document owner performed the activity and NOT the actual person that performed the action. The timestamp of the happened at reported in CASB may also show the timestamp of when CASB receieved and processed the detail from the Delta API and NOT when the event took place.
Symptom: UserA (Owner) creates and shares a file with UserB. UserB edits the file and adds content that violates a defined policy. When the policy violation is reported in CloudSOC, UserA (the owner) is the reported user that violated the policy and NOT UserB, that modified the content. The violation should be reported as UserB.
Symptom: Shared with timestamp on a file that was shared has the same timestamp from when the file was added.
Both symptoms are known and expected limitations of the Microsoft Graph API. The Delta API does not provide who the actor is in all cases . All the API can provide is who the owner is.
With certain event CloudSOC can only report when the owner is, the Delta API did not update the user that performed the action.
Broadcom is constantly working with Microsoft to make sure best practices are followed. Broadcom re-verified this with MSFT as recent as January 2024.
Possible options to gather supporting details:
The Management API activity maybe inconsistant CloudSOC does not rely on it.
Example: User Mike updated\replaced footest111.tye8.txt owned by Admin.