Skip to main content

Check out Interactive Visual Stories to gain hands-on experience with the SSE product features. Click here.

Skyhigh Security

SharePoint, OneDrive, and Office 365 Collaboration Known Behaviors

  1. Last updated
  2. Save as PDF

When collaborating in SharePoint and OneDrive, you might notice the following known behaviors.

Understand File Restrictions for Malware Protection

Cloud service providers (CSPs) implement built-in malware protection by enforcing file-type restrictions and blocking access to infected files. These restrictions prevent you from uploading certain files and from executing content within the service.

For example, Office 365 applies file-type restrictions and blocks access to files it identifies as malware.

Some CSPs use active scanning to inspect uploaded content and detect malicious code before you can access a file.

When a CSP blocks a file because it is detected as malware, actions such as delete or quarantine initiated by Skyhigh DLP or ODS do not complete. This behavior is consistent across CSPs, not limited to Office 365. Skyhigh logs the incident and sends a malware-detection notification by email. For more information, contact the respective cloud service provider.

Duplicate or Multiple Incident Generation

When you want to add a file or folder or invite new collaborators, the SharePoint Add-in or App doesn’t process this event for new collaborators. To process and monitor this event, you must call the Management Activity API. 

Skyhigh Security depends on two event monitoring APIs to track user activity in Office 365:

  1. Management Activity API to track all audit logs for Activity Monitoring and UEBA functionality.
  2. SharePoint Add-in/App-based event monitoring for Near Real-Time DLP.

When collaborating in SharePoint and OneDrive, duplicate or multiple incidents are generated for multiple tenants due to the following reasons:

  • When a file/folder is shared with collaborators for the first time (by using the option 'Specific People' in the sharing window), both the Management Activity API and the SharePoint Add-in will send events resulting in duplicate incidents.
  • When a collaborator is invited on a file/folder that was already shared at least once with other collaborators, only the Management Activity API sends the activity feed/event. Thus, there will not be any duplicate incidents.

Office 365 Handle File Lock Error

When a sensitive file is uploaded, a DLP policy is triggered, and by default, an incident is generated in Skyhigh CASB. For example, the response action quarantine is executed, but the status of quarantine is failed due to the Office 365 file being locked, and retry after 15 minutes to check if the file is unlocked.

DLP Policies for SharePoint using AND Conditions

When you create a DLP policy for SharePoint using AND conditions in the following ways:

  • Using a collaboration rule from:* to:*, except for collaboration to internal domains.
  • Using content-based rule keyword matching, such as the keyword "confidential" in the file.

You may expect the policy to detect a file that includes the keyword "confidential" only when a file is shared with an external user. However, just uploading the file generates an incident. This happens because when a file is uploaded, it is by default associated with the default groups (Owners, Members, and Visitors), so it generates an incident.

We recommend that you use a second OR exception rule to exclude the names of these specific groups in the DLP policy. The DLP policy is working as expected. It does a string comparison of collaborators, and because the strings of the group names were not explicitly excluded, there is a match. Changing the policy will then provide the expected behavior. 

  • Exception rule: Use collaboration from: * to *members, *visitors,*owners. Role: Any.

NOTE: If you use the non-English language setting in your Office 365 tenant, these three groups should be described as names of the language, such as *メンバー, *閲覧者, *所有者 in Japanese.

Office 365 SharePoint File Tag Error

  • SharePoint Classification Rule doesn't support any file tag name or value having special characters such as @ = _ -. : & % * # $ including space between words in the file tag. Also, any other special characters that are not listed here are not recommended to use, as the behavior could be similar. If any special characters or spaces between words are allowed, then the Microsoft O365 API call is failing. Also, file tags that start with numbers are not supported.
  • Do not set the file tag to a hidden or Office365 defined field. For example, if you are trying to set the field name as "Restricted,"  then you will receive a file tag error because "Restricted" is a system-defined field name, and you can't set that field.

Incidents are Generated for File Modifiers Instead of Collaborators

In Microsoft SharePoint Online and OneDrive, Skyhigh DLP generates incidents for the file or folder's last modified user, not the last collaborator. This aligns with Microsoft’s behavior, where the delta event for a file or folder is not updated to reflect the last collaborator.
For example, if User A modifies the file and User B collaborates on it, incidents are generated for User A, not User B.

Intermittent Missing Collaboration Events for Secondary File-Sharing Actions

When a file is initially shared with an external user in Microsoft SharePoint Online or OneDrive, a share link is created, and Microsoft notifies Skyhigh about this sharing action via change notifications. However, if the same file is shared with additional external users, the original share link is reused, and Microsoft does not generate a new notification for the subsequent shares. As a result, Skyhigh will not receive notifications about the additional shares until an event related to the file triggers a notification, which only occurs after the external user accesses the link.

Workaround: Enable the management feed to process collaboration events. Note that management feed events may be delayed, which could impact our Service Level Objectives (SLOs).

File/Folder Collaborators with SharePoint Groups Display Unknown

When a file or a folder is shared with a SharePoint group, Skyhigh cannot identify and expand the SharePoint groups listed as collaborators on files and folders. As a result, the DLP engine cannot detect individual users (both internal and external) within that group, leading to collaboration policy violations. These violations are reported as Unknown in the Collaborators section of the incident.

NOTE: The Microsoft Graph APIs currently do not support expanding SharePoint groups to retrieve their members. Hence, Skyhigh is not expanding collaboration groups in the Splash Delta API workflow.

Impact on DLP enforcement:

  1. False Negatives. If a sensitive file is shared with a SharePoint group that includes external users, the Skyhigh DLP engine will fail to trigger a violation. This oversight could result in potential data exfiltration.
  2. False Positives. On the other hand, if a policy contains an exception rule for internal domains, the Skyhigh DLP engine cannot verify the internal status of group members. Consequently, DLP actions may be incorrectly triggered for legitimate internal collaborations, disrupting business workflows.

The Internal and External Collaborators field in the incident report will display Unknown.

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    Topic
  2. Tags
    This page has no tags.