Custom O365 Securlet not logging expected activity
O365 Custom Securlet using 'read-only' access failed to log activities for OneDrive as well as Teams (even though Teams was selected at the time of Securlet activation).
O365 Securlet + DLP Enforce
The custom Securlet was created to allow read-only access as opposed to the full rights provided with the Global Admin account.
• Sites were not imported as the client only intended to monitor Email, Teams and OneDrive. Engineering identified certain OneDrive and Teams activity are dependent on the user's Sharepoint (Sites) for logging activities.
• The custom Securlet was pointed to 'non-billing' API endpoints.
• Teams related data was missing as the custom Securlet was activated on a 'newly' deployed O365 environment. "This is an issue with test accounts, queues are not created unless there is activity and if migration is done before queue creation then configuration is missing."
• The custom Securlet was pointed to the appropriate 'with-billing' API endpoints.
• The O365 tenant had accumulated Teams data during testing and the Securlet was reactivated while importing Sharepoint Sites.
• The client's CloudSOC tenant was pointed to the custom Securlet by Engineering, meaning, when activating the Securlet there's no field or switch to indicate whether to activate using the Full Securlet vs. the custom 'read-only' O365 Securlet.