DLP Enforce CloudSOC Sharepoint Incidents missing Sender (Violator)
search cancel

DLP Enforce CloudSOC Sharepoint Incidents missing Sender (Violator)

book

Article ID: 367441

calendar_today

Updated On:

Products

CASB Securlet SAAS CASB Security Advanced CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet SAAS With DLP-CDS

Issue/Introduction

CloudSOC Sharepoint incidents in DLP Enforce are sometimes missing the Sender (Violator) in the left column

Cause

In order to see the Sender (Violator) in a DLP Enforce incident - data for these two fields need to be present in the DLP Original Message

Contextual Attributes - common.user.id and common.user.name

Resolution

 

The MS 365 REST API provides this data to CloudSOC but not if the User has been deleted or no license for that User in MS 365 App.

There is no fix to obtain the Sender data from the Rest API if the User is deleted or does not have a license

 

 

 

 

Additional Information

One possible workaround may be to configure DLP Enforce LDAP plugin to obtain some additional detail that way.

But if the User is also deleted from Active Directory LDAP Plugin will not help

https://techdocs.broadcom.com/us/en/symantec-security-software/information-security/data-loss-prevention/16-0-2/incidents/implementing-lookup-plug-ins/configuring-ldap-lookup-plug-ins/ldap-lookup-plug-in-tutorial.html

Powered by Wolken Software