Best practices for DLP endpoint monitoring of Microsoft Office cloud storage locations
Article ID: 198249
Data Loss Prevention Endpoint Prevent
By default, Office 365 applications are in a continuous AutoSave mode that saves document changes every few seconds as you type. When DLP is configured to monitor these documents, frequent changes to large files can cause significant delays for end-users due to the overhead involved with content extraction and detection.
As of DLP 15.7, the endpoint agent includes a new Office 365 add-in - csa.dll for monitoring Office 365 file sync to cloud storage.
The csa.dll add-in is enabled/installed when both of the following settings are enabled in an Agent Configuration:
Channels tab "Cloud Storage" channel
Settings tab "Monitor Microsoft Office files saved to web locations" feature under Cloud Storage
Incidents are generated with a destination of either a local OneDrive path or a hosted sharepoint.com URL, which you consider to be a false positive if those destinations are considered approved storage.
You may also find that detection delays for end-users are too frequent or too lengthy for them to be productive.
DLP 15.7 and higher.
Disabling Office 365 AutoSave
Typically organizations do not scan local drives nor secure corporate network/cloud storage such as SharePoint whether on-prem or hosted (cloud). If for some reason you're not able to exclude these locations as shown above, you should consider disabling the AutoSave feature in Office 365 using the following steps in any Office 365 application:
Navigate to File > Options > Save.
Uncheck the box next to AutoSave OneDrive and SharePoint Online files by default on <application>.
If you're unable to disable AutoSave
Ignoring Files that are Copied Directly to a local OneDrive directory
Log in to the Enforce console and navigate to System > Agents > Agent Configuration > (configuration) > Channel Filters (tab) > Filter by File Properties > Add Monitoring Filter (button)