Description


Office 365 SharePoint empowers teamwork with dynamic and productive team sites for every project team, department, and division. Avanan adds security, privacy, and compliance to Office 365 SharePoint by scanning files shared in SharePoint for malicious content and data loss prevention (DLP) and generates actionable events on malicious content.


Avanan adds a layer of security that provides these security features for Office 365 SharePoint:
Data Leak Prevention (DLP): Protecting uploaded files containing sensitive data
Anti-Malware: Scanning of files for malicious content
Remediation: Quarantine malicious files and send files containing sensitive data to the vault

Requirements

You are a user with Microsoft Global Administrator permissions, or you have the credentials of such a user.
You have the minimum supported Avanan license with Sharepoint protection.


The Process


To activate Office 365 SharePoint:

  1. Navigate to Security Settings > SaaS Applications and click Start for Office 365 SharePoint.
  2. Click Start in the pop-up screen that appears.
  3. In the Microsoft Sign in window that opens, sign in with your Microsoft administrator credentials.
    Note - Microsoft performs the authentication, and Check Point does not provide these credentials.
  4. In the authorization screen from Microsoft, click Accept to grant necessary permissions to Avanan.
    The Office 365 SharePoint SaaS is enabled, and monitoring begins immediately.
    SharePoint

Deactivating Office 365 SharePoint

To deactivate Office 365 SharePoint:

  1. Navigate to Security Settings > SaaS Applications.
  2. Click Stop for Office 365 SharePoint.
    SharePoint-Stop

Office 365 SharePoint Security Settings

Customizing Quarantine and Vault

Administrators can customize the quarantine and vault folders (folder names, quarantine/vault messages, etc.)

Quarantine folder

The quarantine folder is used to quarantine malware-infected files from SharePoint. The infected files of all the users will be quarantined to a single predefined quarantine folder.

Notes:

  • Quarantine folder is created with the configured name on the root directory of the root site of the organization. End-users will not have access to this folder.
  • Only Microsoft stores these quarantined files.

Vault folder

A vault folder is used to remediate DLP detections related to SharePoint files. It is a non-shared folder that is created for every SharePoint user.

If a file contains sensitive information that does not comply with your organization's data-sharing policies, it is removed and placed in the vault folder.

Note - Vault folder is created with the configured folder name in the root directory of each user’s drive. The user can access the file from the vault but cannot share it with others.

To customize the quarantine and vault folders:

  1. Navigate to Security Settings > SaaS Applications.
  2. Click Configure for Office 365 SharePoint.
  3. Under Quarantine, enter the required quarantine folder name.
  4. Under Vault, enter the required vault name.
  5. Click Save.

Configuring Office 365 SharePoint Policy

Malware Policy

By default, the Office 365 SharePoint malware policy scans the uploaded files for malicious content.

Supported Actions

Office 365 SharePoint malware policy supports these actions:

  • Quarantine of malware-infected files.
  • Alert owner: Sends an email notification to the user who uploaded a file that contains malicious content.
  • Alert admin(s): Sends an email notification to the admin(s) about the malicious files.

Configuring Malware Policy

To configure Malware policy:

  1. Click Policy on the left panel of the Avanan portal.
  2. Click Add a New Policy Rule.
  3. From the Choose SaaS drop-down list, select Office 365 SharePoint.
  4. From the Choose Security drop-down list, select Malware and click Next.
  5. Select the desired protection mode (Detect and Remediate or Detect).If required, you can change the Rule Name.
  6. Choose the Scopefor the policy.
    • To apply the policy to specific users or groups, select the users and groups and click Add to Selected.
    • To apply the policy to all users and groups in your organization, enable All Users and Groups checkbox.
    • To exclude specific users or groups from the policy, select the users/groups and click Add to Excluded.
  7. Under Blades, select the threat detection blades required for the policy.
    Note - To select all the blades available for malware detection, enable All running threat detection blades checkbox.
  8. Under Suspected malware workflow (Attachment) in Workflows, select the workflow required for the policy.
    • Quarantine. User is alerted and allowed to restore
    • Quarantine. User is alerted, allowed to request a restore (admin must approve)
    • Quarantine. User is not alerted (admin can restore)
    • Do nothing
  9. Note - The Workflows are available only when Detect and Remediate protection mode is enabled.

  10. To quarantine malware-infected files, enable the Quarantine drive files checkbox.
    Note - This option will be available only in Detect and Remediate protection mode.
  11. Configure Alertsfor the policy.
    1. To send email alerts to the file owner of malware, enable the Alert file owner of malware checkbox.
    2. To send email alerts to admins, enable the Alert admin(s) checkbox.
      SharePoint-Alerts-Malware
  12. Notes:

    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role.
    • To customize the email alert templates, click on the gear icon to the right of the alert.
  13. Click Save and Apply.

DLP Policy

By default, the DLP policy scans the uploaded files to SharePoint for potentially leaked information, such as credit card number and Social Security Number (SSN).

Supported Actions

Office 365 SharePoint DLP policy supports these actions:

  • Send files with sensitive data to the vault.
  • Alert owner: Sends an email notification to the user who uploaded a file that contains sensitive information.
  • Alert admin(s): Sends an email notification to the admin(s) about the files that contain sensitive information.

Configuring DLP Policy

To configure DLP policy:

  1. Click Policy on the left panel of the Avanan portal.
  2. Click Add a New Policy Rule.
  3. From the Choose SaaS drop-down list, select Office 365 SharePoint.
  4. From the Choose Security drop-down list, select DLP and click Next.
  5. Select the desired protection mode (Detect and Remediate or Detect).
    If required, you can change the Rule Name.
  6. Choose Scopefor the policy.
    • To apply the policy to specific users or groups, select the users and groups and click Add to Selected.
    • To apply the policy to all users and groups in your organization, enable All Users and Groups checkbox.
    • To exclude specific users or groups from the policy, select the users/groups and click Add to Excluded.
  7. Under DLP Criteria, select the DLP categories required for the policy.
    For more details about the DLP rules and categories, see DLP Built-in Rules and Categories.
  8. Select the sensitivity level required for the policy.
    • Very high (hit count > 0)
    • High (hit count > 2)
    • Medium (hit count > 5)
    • Low (hit count > 10)
    • Very Low (hit count > 20)
  9. To exclude DLP policy for the messages and files shared only with the internal users, enable the Skip Internal items checkbox.
  10. Configure Actionsfor the policy.
    • To send a detected file with sensitive data to its owner’s vault, enable the Send files with sensitive data to vault checkbox.
      Note - This option will be available only in Detect and Remediate protection mode.
    • To send email alerts to admins about DLP, enable the Alert admin(s) checkbox.
    • To send email alerts to the file owner about DLP, enable the Alert file owner(s) checkbox.
    • To quarantine drive files, enable the Quarantine drive files checkbox.
      SharePoint-Alerts-DLP
  11. Notes:

    • For a policy, you can only enable Send file with sensitive data to vault or Quarantine drive files.
    • Even when the alerts are enabled here in the policy, the administrator only receives email alerts for security events when Receive Alerts role is enabled in the Specific Service Role.
    • To customize the email alert templates, click on the gear icon to the right of the alert.
  12. Click Save and Apply.

Viewing Office 365 SharePoint Security Events

Avanan records the SharePoint detections as security events. The event type depends on the type of policy that created the event. You can handle the security events in different ways, whether they are detected/prevented automatically or discovered by the administrators after not being prevented.

The Events screen shows a detailed view of all the security events.

Note - For files marked as malware by Microsoft, scan results are unavailable, and access to these files is prevented by Microsoft.

SharePoint-Events-Page