Question: How does CASB differentiate between internal and external users?

Answer: CASB defines internal users by domain.  Any email domain listed as a Primary or secondary domain is considered an internal user. Any domain outside of the list would be an external user.

-Note:  All gatelets and most securlets defines the users as internal or external this way. The box securlet gets an internal list via the SaaS.

Secondary Domains can be added to CloudSOC through the Customer Management Portal (CMP) and can be seen from CloudSOC General Settings,

Question: Where is a internal vs external user defined in a policy in CASB?

Answer: A CloudSOC policy Account Type will define an internal vs external user.

Question: Where is an internal vs external user defined in a policy in DLP?

The DLP Scan Filter set's the scope for the application and not the policy itself.

Manage, Application Detection, Configuration.

Question: Can a DLP policy trigger based on domain whitelist\blacklist?

Answer: A simple DLP keyword policy can use the attribute "common.shareWithList"

• Whitelist example using regex to whitelist domain example.com.
  • -Note: Notice the regex ?! is a NOT.  This policy will trigger for any user EXCEPT a user @example.com
  • -Note: the Whitelist domain has to be condition of the rule

• Blacklist example to block @gmail.com.

Multiple domains can be used to used. However, the more complex the regex the longer the policy takes to complete.

Question: What is the difference between direct access to a file and shared link?

Answer: O365 has multiple ways to share a file.

• Direct Access: The users has been given direct access to the file or folder. The ACL is updated immediately.  Only internal or "guest" users can be given direct access. CASB\DLP can remove the individual user.

• Shared Links: Access is shared through a link. The user will only receive access through the link.  Once the item is accessed the ACL will be updated and the o365 securlet will get notified the file is shared.  Until the shared with user accesses the file it is not shared.  DLP\CASB removes all user with the remove external collaborator option is chosen.

• Sharing Types and response rules:
  
  • Anyone with the link: Public Exposure Response rule breaklinks.
  • Specific people: External Exposure  Remove collaborators.
• 

Question: Can DLP\CASB remove a individual user that violates a policy?

Answer: DLP\CASB uses a MSFT API to remove an individual user that is directly assigned.  The  MSFT API does NOT provide a way to remove one individual shared with a link all shared with users share that link.