Best practices for DLP endpoint monitoring of Microsoft Office cloud storage locations

book

Article ID: 198249

calendar_today

Updated On:

Products

Data Loss Prevention Endpoint Prevent Data Loss Prevention

Issue/Introduction

By default, Office 365 applications are in a continuous AutoSave mode that saves document changes every few seconds as you type. When DLP is configured to monitor these documents, frequent changes to large files can cause significant delays for end-users due to the overhead involved with content extraction and detection.

As of DLP 15.7, the endpoint agent includes a new Office 365 add-in - csa.dll for monitoring Office 365 file sync to cloud storage.

The csa.dll add-in is enabled/installed when both of the following settings are enabled in an Agent Configuration:

  • Channels tab "Cloud Storage" channel

  • Settings tab "Monitor Microsoft Office files saved to web locations" feature under Cloud Storage

 

Cause

  • Incidents are generated with a destination of either a local OneDrive path or a hosted sharepoint.com URL, which you consider to be a false positive if those destinations are considered approved storage.
  • You may also find that detection delays for end-users are too frequent or too lengthy for them to be productive.

Environment

DLP 15.7 and higher.

Resolution

Option 1

Disabling Office 365 AutoSave

Typically organizations do not scan local drives nor secure corporate network/cloud storage such as SharePoint whether on-prem or hosted (cloud). If for some reason you're not able to exclude these locations as shown above, you should consider disabling the AutoSave feature in Office 365 using the following steps in any Office 365 application:

  1. Navigate to File > Options > Save.
  2. Uncheck the box next to AutoSave OneDrive and SharePoint Online files by default on <application>.

Option 2

If you're unable to disable AutoSave
  • Ignoring Files that are Copied Directly to a local OneDrive directory

Log in to the Enforce console and navigate to System > Agents > Agent Configuration > (configuration) > Channel Filters (tab) > Filter by File Properties > Add Monitoring Filter (button)

Set the following properties and then click save:

    1. Filter Action = Ignore
    2. Endpoint Channel = Cloud Storage
    3. File Path = %USERPROFILE%\OneDrive - (your corporate directory name)\*
      1. Alternatively, you could also use %HOMEPATH%\OneDrive - (your corporate directory name)\*

Set the filter order so this file path is ignored before any filter that would monitor the same path and then click save.

  • Ignoring Files Saved to OneDrive through an Office 365 Application
  1. Locate the OneDrive/Sharepoint URLs used by your organization - Get a list of all user OneDrive URLs in your organization
  2. Add a domain filter to the Agent Configuration:
    1. In the Enforce Console navigate to System > Agents > Agent Configuration.
    2. Edit the appropriate Configuration.
    3. Under Channel Filters > Domain Filters enter the URLS to ignore, such as:
 
 
 
 
 
 
 
 

Additional Information

See also: How to export DLP Office add-in certificate and distribute via GPO

See also: What is AutoSave?

Attachments