DLP Enforce CloudSOC Sharepoint Incidents missing Sender (Violator)
search cancel

DLP Enforce CloudSOC Sharepoint Incidents missing Sender (Violator)


Article ID: 367441


Updated On:


CASB Securlet SAAS CASB Security Advanced CASB Security Premium CASB Security Premium IAAS CASB Security Standard CASB Securlet SAAS With DLP-CDS


CloudSOC Sharepoint incidents in DLP Enforce are sometimes missing the Sender (Violator) in the left column


In order to see the Sender (Violator) in a DLP Enforce incident - data for these two fields need to be present in the DLP Original Message

Contextual Attributes - common.user.id and common.user.name



The MS 365 REST API provides this data to CloudSOC but not if the User has been deleted or no license for that User in MS 365 App.

There is no fix to obtain the Sender data from the Rest API if the User is deleted or does not have a license





Additional Information

One possible workaround may be to configure DLP Enforce LDAP plugin to obtain some additional detail that way.

But if the User is also deleted from Active Directory LDAP Plugin will not help