Use Case:
Customer is looking to see if there is a way to differentiate Teams vs. SharePoint incidents within DLP detection rules for the O365 securlet. Currently, SharePoint is the backend for Teams storage so all "Teams" incidents come in as SharePoint incidents. You can tell which incidents are which by looking at the original message stream that is associated with CASB incidents, because Teams incidents contain an attribute called "common.team.visibility". Also, incidents that are SharePoint incidents but not associated with Teams do not have this attribute in it (I will attach the 2 message streams for reference).
When creating a policy, I do not see a way to uniquely identity incidents that are on SharePoint but not associated with Teams.
Note:
You can easily tell that this is associated with Teams because you can set the contextual attribute "common.team.visibility" to match on either "Public" or "Private" which clearly shows that this is on Teams. This will also exclude any SharePoint incident because that attribute is not associated with them or in the message stream.
If you set up another policy for SharePoint and do not set a contextual attribute to match on a public or private team (shown below), it will pick up on SharePoint incidents AND Teams incidents. The goal is to only match on SharePoint incidents. Since there is a way to set apart Teams incidents, is there a way to set apart just SharePoint incidents?
Component : Contextual Attributes (Securlet)
TEAMS and Sharepoint use the same API.
Create a policy exception for the Sharepoint policy using "common.team.visibility" to match on either "Public" or "Private". This will check the value in the request contextual attributes, if this exists then it shows that it comes from teams and the Sharepoint policy will not get applied.