Answer: CASB defines internal users by domain. Any email domain listed as a Primary or secondary domain is considered an internal user. Any domain outside of the list would be an external user.
-Note: All gatelets and most securlets defines the users as internal or external this way. The box securlet gets an internal list via the SaaS.
Secondary Domains can be added to CloudSOC through the Customer Management Portal (CMP) and can be seen from CloudSOC General Settings,
Answer: A CloudSOC policy Account Type will define an internal vs external user.
The DLP Scan Filter set's the scope for the application and not the policy itself.
Manage, Application Detection, Configuration.
Answer: A simple DLP keyword policy can use the attribute "common.shareWithList"
Multiple domains can be used to used. However, the more complex the regex the longer the policy takes to complete.
Question: What is the difference between direct access to a file and shared link?
Answer: O365 has multiple ways to share a file.
Question: Can DLP\CASB remove a individual user that violates a policy?
Answer: DLP\CASB uses a MSFT API to remove an individual user that is directly assigned. The MSFT API does NOT provide a way to remove one individual shared with a link all shared with users share that link.
This document is for testing purposes. Rigorous testing should take place before activating a policy in production.