Office 365 Securlet Policy does not Record the Correct Modification Details
search cancel

Office 365 Securlet Policy does not Record the Correct Modification Details

book

Article ID: 176282

calendar_today

Updated On: 10-11-2024

Products

CASB Security Standard CASB Security Premium CASB Security Advanced CASB Audit CASB Gateway CASB Gateway Advanced CASB Securlet SAAS CASB Securlet SAAS With DLP-CDS

Issue/Introduction

The securlet activity details of an uploaded, modified or shared file will show that the document owner performed the activity and NOT the actual person that performed the action.  The timestamp of the happened at reported in CASB may also show the timestamp of when CASB receieved and processed the detail from the Delta API and NOT when the event took place.

Symptom: UserA (Owner) creates and shares a file with UserB.  UserB edits the file and adds content that violates a defined policy.  When the policy violation is reported in CloudSOC, UserA (the owner) is the reported user that violated the policy and NOT UserB, that modified the content. The violation should be reported as UserB.

Symptom: Shared with timestamp on a file that was shared has the same timestamp from when the file was added.

 

Cause

Both symptoms are known and expected limitations of the Microsoft Graph API.  The Delta API does not provide who the actor is in all cases . All the API can provide is who the owner is.

With certain event CloudSOC can only report when the owner is, the Delta API did not update the user that performed the action.

Broadcom is constantly working with Microsoft to make sure best practices are followed. Broadcom re-verified this with MSFT as recent as January 2024.

Resolution

CloudSOC release 3.173 date: September 10, 2024 for the EU and September 12, 20024 for the US now includes attribute common.modifiedBy. For new incidents created after the 3.173 release date, the attribute will record the user that modified the document. Previously CloudSOC \ DLP was only able to report the owner as the violator.

The owner is still reported as the violator for sharing, moving or deleting the document.

Feature request ISFR-3464 was created to update the Sender attributes with the value from common.modified by so that response templates more accurately identifies the user that triggered the violation.

Additional Information

Possible options to gather additonal supporting details:

  • User Activity Type will explain what activity caused the scan.
  • Verify activity with the CloudSOC gatelet for o365.  Delta API has no impact.
  • File sharing will generate an email notification with the correct user.
  • Look for possible supporting detail such as who accessed a file.
Powered by Wolken Software