Collaboration Security - Protection for Microsoft SharePoint & OneDrive

Updated

This article explains how to set up and configure Protection for Microsoft SharePoint & OneDrive, and describes its main features. It is intended for Administrators.

Overview

Protection for Microsoft SharePoint & OneDrive extends Mimecast’s world-class URL and attachment inspection capabilities to content shared in the Microsoft SharePoint & OneDrive platforms.
Any content deemed malicious or suspicious is quarantined, and is replaced with a PDF explaining what has happened to the item.
Key features:

  • Best-in-class inspection of all URLs and attachments.
  • 14-day threat scan, to identify previously stored malicious content.
  • Optimized default policy out of the box.
  • Ability to create custom policies for specific users/user groups, files or folders.
  • Full deployment in minutes.

How harmful items are managed:

  • Microsoft SharePoint & OneDrive content is scanned, and if files are found to be harmful, they are quarantined.
  • The original file is replaced with a PDF, which when opened, explains that the original file was removed due to your organization's security policy.

    Protection for Microsoft SharePoint & OneDrive user experience

    Protection for Microsoft SharePoint & OneDrive - user experience - prompt

  • You can access quarantined attachments via Mimecast Administration Console | Collaboration Security | Detections

Considerations

  • Phishing & Impersonation as well as Untrustworthy Detection Sensitivity settings do not apply to Microsoft SharePoint & OneDrive.
  • You'd be configuring and using Protection for Microsoft SharePoint & OneDrive in conjunction with Protection for Microsoft Teams.
  • Collaboration Security is not supported for:
    • Advanced Account Administration (AAA) setups.
    • Microsoft GCC High environments.
    • Customers needing to adhere to ITAR regulations.
    • The Mimecast Offshore / Jersey region.
  • Collaboration Security doesn't support Policy Inheritance on Federated Account Administration (FAA) setups.

Prerequisites

  • You are using Microsoft Teams, Microsoft SharePoint & OneDrive.
  • You have an Email Security Cloud Gateway account.
  • You have an appropriate Mimecast Administration Console role:
    • Trials can be started by all Administrators with More Products | Enroll role permissions. By default, these are Partner, Full, and Super Administrators.
    • The Administrator will need Collaboration Full Permissions to create the initial Collaboration Security configuration.
      • Default roles with Collaboration Full Permission are Super, Full, and Partner Administrators.
      • The default role with Collaboration Basic Permission is Basic Administrator.
      • The default role with Collaboration Helpdesk Permission is Help Desk.
  • You have Microsoft 365 Global Administrator Role to grant app consent.
  • At a minimum, a Microsoft 365 Business Basic license is required to scan and remediate threats for SharePoint & OneDrive.

Setting up Protection for Microsoft SharePoint & OneDrive

To set up Protection for Microsoft SharePoint & OneDrive, follow the steps below:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to More Mimecast Products from the left-hand menu.
  3. Click on Protection for Microsoft SharePoint & OneDrive.
    Protection for Microsoft SharePoint & OneDrive trial
  4. Depending on the status of your account, click on:
    • Free Trial to set up your free trial of Protection for Microsoft SharePoint & OneDrive.
      Only a Partner Administrator can start a trial, if your account is associated with a Managed Service Provider.
    • Configure to configure Protection for Microsoft SharePoint & OneDrive.
  1. The Next Steps gives more information to guide you to complete the setup. 

Protection for Microsoft SharePoint & OneDrive Next Steps

  1. Click Continue to review the Terms and Conditions for the trial. 

Evaluation Agreement

The terms and conditions step is for Trial customers only, and will be skipped automatically if you are a new customer and have been provisioned with Protection for Microsoft SharePoint & OneDrive.
You will not be prompted to accept the Terms and Conditions again, you have already configured Protection for Microsoft Teams.

  1. Once the Terms and Conditions are accepted, we’ll verify your details, and you'll see that your account is being prepared. Click on Continue.
Preparing Your Account

Once you can continue, you will see "Your trial is ready", and you will need to click on Configure Here, where prompted.

Trial Is Ready

The "chip" for More Mimecast Products | Protection for Microsoft SharePoint & OneDrive will change from "Preparing" to "Configure".
The More Mimecast Products | Protection for Microsoft SharePoint & OneDrive page action will update, from Trial Sign-up information, to Configuration details.
You will need to click on Get Started, to continue.

Get Started Microsoft SharePoint & OneDrive
  1. You will be returned to the Next Steps screen. Click on Continue

    Getting Started Microsoft SharePoint & OneDrive
  2. Protection for Microsoft SharePoint & OneDrive Configuration allows you to select:
      • Both Services (Recommended), SharePoint Only, or OneDrive Only.
      • Your Default Policy ConfigurationMonitor (recommended), or Protect.

OneDriveSharepointMonitor.png

  1. Click on Save & Continue To Microsoft.
  2. Log in using your Microsoft Global Administrator Role credentials, and you’ll be redirected to the Microsoft application consent page, to consent to the permissions required by the app.

SharePoint OneDrive permissions-b-350-s.jpg

Where Microsoft requires you to accept any Terms and Conditions as part of the permission granting process, it is your responsibility to fully review and understand the content of such Terms and Conditions before accepting them.

  1. Once you've clicked on Accept, you’ll return to Microsoft SharePoint & OneDrive Configuration, which is now complete.
     
MS SharePoint OneDrive setup completed-500-s.jpg

14-day Threat Scan

Mimecast will perform a historic scan after Protection for Microsoft SharePoint & OneDrive has been configured. This will scan Microsoft SharePoint & OneDrive content, and identify attachments from Microsoft Teams (stored in Microsoft SharePoint), for the last 14 days. Once the scan is complete, you can select the action you would like to take.

When using a purchased subscription of Protection for Microsoft SharePoint & OneDrive an all-time scan gets executed to identify harmful shared file content. Next to this a 30-day scan runs every 30 days on items updated during this time. This happens in conjunction with the newly uploaded or updated scan that scans items close to real-time. You can see all detected threats or view the threats from the Detections page.

Product Trials

If you are using a free trial of Protection for Microsoft SharePoint & OneDrive, you can view the status of your Product Trials, by using the following steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to  Account | Product Trials.
  3. The Product Trials page displays your Product Trials, and the corresponding subscription status(es).

Viewing Detected Threats

You can view all scanned items from the Detections page. By default, you’ll see Malware, Phishing, and Untrustworthy items. You can click on an entry to see full details.

If you’re using Monitor mode or choose not to quarantine threats automatically, you can quarantine them manually by following the steps below.

You can navigate to the Detections page, by using the following steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to MORE SERVICES | Collaboration Security.

  3. The Collaboration Security Home page opens, and displays:
    • Statistics for Malware, Phishing and Untrustworthy content (by default), that has been detected in the selected time period.
    • Detections Overview, with graphs to display data over the selected time period.

The default Date Range is 30 days, you can amend this to Last 24 hours, Last 7 days, Last 30 days, or Last 60 days, as required.


  1. Navigate to Detections. This will display the threats that have been detected.

    The default Date Range is 30 days, you can amend this to Last 24 hours, Last 7 days, Last 30 days, or Last 60 days, as required.


    Detections
    Field Description
    Content Displays the Filename associated with the detected threat.
    Services Displays which service the detected threat was received from (e.g. OneDrive).
    Analysis Displays the type of threat that has been identified, e.g.:

    Malware: Malicious software designed to disrupt, damage, and gain unauthorized access to a network and its linked devices.
    Phishing: Social Engineering content, Malicious URLs, and Weaponized Attachments are some examples of phishing content.
    Untrustworthy: Suspicious messages detected by Mimecast systems as untrustworthy could be from a known bad source or contain content we cannot be sure is safe.
    Safe/Clean: Emails are determined as safe by Mimecast's detection engines.
    Status Displays the current state of the detected threat, examples:

    Scanned.
    Quarantined.
    Manually quarantined.
    Recipient This displays the chat recipient of the detected threat, and is not applicable for Microsoft SharePoint & OneDrive.
    Policy / Rule Displays which Policy or Rule was triggered, which mode, and what action was taken.
    Sender / Uploader or Sender This displays the sender or name of the person who uploaded a file, for detected threats.

    • If you are using Microsoft SharePoint & OneDrive, you will see the Sender/Uploader column, containing the corresponding data.
    • Otherwise you will instead see the Sender column, containing the corresponding data.
    Date / Time This displays the date when the detected item was processed by Mimecast.
  2. You can use advanced Filters on your detected threat data; the default filters are Malware, Phishing and Untrustworthy.
  3. You can click on the Filter button, to remove existing filters, clear all filters, or to drill down to filter by sub-categories:
     
    Filter Categories Sub-items
    Service Teams
    SharePoint
    OneDrive
    Analysis
    Malware 
    Phishing 
    Safe/Clean 
    Untrustworthy
    Block Rule
    Status
    Blocked 
    Delivered 
    Manually quarantined 
    Manually restored 
    Quarantined
    Quarantine failed 
    Quarantine in progress 
    Manually removed
    Remove failed 
    Remove in progress
    Restore failed 
    Restore in progress 
    Scanned
  4. You can Apply the filter customizations that you have made, or click on Cancel to close without applying changes.

Searching Detected Threats

You can search within Detections, by using the following steps:

  1. Open the Collaboration Security area.
  2. Click on Detections.
  3. The Search section allows you to specify:
    • Date Range: This field is used to specify the Date Range for your search:
      • Last 24 hours.
      • Last 7 days.
      • Last 30 days (this is the default value).
      • Last 60 days.
    • Target / Operator: Select a Target to search by, a relevant Operator and a corresponding Expression, to create your search criteria. The available Operators will depend on the Target type selected.
Target Operator Expression
Content, Recipient or Sender/Uploader: Select this field to search by message title or filename associated with the detected threat.
  • is.
  • is not.
  • contains.
 Enter a string, without double quotes.
Contains only takes a single value.

 

• For Contains searches, case is not considered, and partial matches are included.
OR conditions for the same field can be aggregated into the row via comma or the use of OR.
AND conditions for the same field can be added as multiple sets of search criteria.

    • +Add Criteria: Click on this to add the criteria that you have entered. The Query View updates, to display your search criteria.
  1. Click on Search to run the search. The list of detected threats is updated, to display items corresponding to your search criteria.
  2. You can enter further set(s) of criteria, by:
    • Selecting the Condition of AND.
    • Entering the TargetOperator and Expression for the additional search criteria.
    • Clicking on +Add Criteria to add them. The Query View updates, to display your search criteria, and the list of detected threats is updated accordingly.
  1. You can remove search criteria, by clicking on Remove Criteria next to the item.
  2. You can click on Clear Search to clear the search criteria. The list of detected threats is updated accordingly.

Managing Detected Threats

You can manage detected threats, by using the following steps:

  1. Open the Collaboration Security area.
  2. Click on Detections.
  3. You can click on a detected threat to display threat details.
    Each detected threat is displayed using detail panels, each displaying a deep analysis:
    Panel Description
    Analysis The analysis panel displays the type of threat, the status, the scan type and the uploaded by details.
    Policy Displays the policy name, mode, and action performed.
    Filename Displays details about the detected file.
    This contains the following:
    • File Path
    • Last Modified by.
    • Last Modified Date/Time.
    • A link to allow you to navigate to the quarantine folder on Microsoft SharePoint.
    Detailed Analysis Display detailed data about the detected file.
    Recent Scan History Displays detailed data about the scan history of an item, which can be scanned multiple times; the last five scan results for the item/file will be displayed.

    When reviewing an item that has been scanned again, it will display a banner allowing you to access the latest scan result.

    Newer scan results
  4. You can carry out an action on the selected detected threat, depending on its state:
    • Microsoft OneDrive:
      • Safe/Clean, with status Delivered: You can click on Quarantine, or click the Back arrow to return to Detections.

      • Malware, with status Scanned: You can click on Quarantine, Report As Safe, or click the Back arrow to return to Detections.

      • Malware, with status Quarantined: You can click on Restore, Report As Safe, or click the Back arrow to return to Detections.

      • Untrustworthy, with status Quarantined: You can click on Restore, Report As Safe, or click the Back arrow to return to Detections.

      • Block Rule, with status Quarantined: You can click on Restore, or click the Back arrow to return to Detections.

    • SharePoint:
      • Safe/Clean, with status Scanned: You can click on Quarantine, or click the Back arrow to return to Detections.

      • Malware, with status Scanned: You can click on Quarantine, Report As Safe, or click the Back arrow to return to Detections.

      • Malware, with status Quarantined: You can click on Restore, Report As Safe, or click the Back arrow to return to Detections.

      • Malware, with status Quarantine in progress: Quarantine and Report As Safe actions are not enabled, because quarantine is in progress. You can click on the Back arrow to return to Detections.

      • Block Rule, with status Quarantined: You can click on Restore, or click the Back arrow to return to Detections.

      • Phishing, with status Quarantined: You can click on Restore, Report As Safe, or click the Back arrow to return to Detections.

      • Untrustworthy, with status Scanned: You can click on Quarantine, Report As Safe, or click the Back arrow to return to Detections.

      • Untrustworthy, with status Quarantined: You can click on Restore, Report As Safe, or click the Back arrow to return to Detections.

  1. Once you've completed an action, you will return to the Detections page, and notified when the action is complete.
  2. The Status for the actioned item will update accordingly.

Fail Safe Behavior

It's sometimes not possible to move a file to the Quarantine section (or restore it from the Quarantine section), if extra custom columns have been added to Microsoft SharePoint, or Microsoft OneDrive.
If this happens, the file will be copied and pasted across, instead.

If a file has been copied and pasted, versioning information will be lost.

Policy Management

The Default Policy protects your whole organization; however, if you need to make changes, then you can create a new policy.

You can manage Policies for File Sharing, by using the following steps:

  1. Open the Collaboration Security area.
  2. Click on Policies | File Sharing.



  3. In the File Sharing Policies screen, you can:
    •  Click on the ellipsis "..." for an existing Policy, and select an action:
      • View: Selecting this option opens the Policy.
      • Delete: Selecting this option deletes the Policy.
      • Duplicate: Selecting this option duplicates a Policy, allowing you then make and save changes.
      • Move Policy Up: Selecting this option allows you to move a Policy further up the list of Policies.
      • Move Policy Down: Selecting this option allows you to move a Policy further down the list of Policies.

The Default Policy cannot be moved up or down, deleted, duplicated, or disabled.

    • Click on New Policy and add details for the Policy.

If you are configuring a Microsoft SharePoint Policy:

New Sharepoint policy
    • Select SharePoint under the Service section.
    • Enter a Name for the Policy.
    • Enter a Description (optional).
    • Select the target, All Files & Folders, or Files or Folders.
    • Select a Mode of Protect, or Disabled.
    • Select the Detection Actions for Malware, Phishing and Untrustworthy.
    • Select your required Detection Engine settings for Phishing & Impersonation:
      • Phishing: Choose how aggressively the system acts on threats, either Moderate (recommended), or Aggressive.
      • Untrustworthy: Choose how aggressively the system acts on threats, either Moderate (recommended), or Aggressive.
      • Attachment: Choose whether to enable or disable the checking of vulnerable file types for threats in the sandbox.
    • Set your alert preferences.
      • You can use this to ensure a message is sent to the administrator email addresses you specify, when the selected detection categories are matched by the Policy.
      • You can select whether to notify End Users (for malware and phishing quarantine only).
        SharePoint alert
    • Click on Save.

If you are configuring a Microsoft OneDrive Policy, follow the same steps as for a SharePoint Policy, but with the following changes:

    • Select OneDrive under the Service section.
    • Select the Target: All Users & FilesFiles or Folders, AD Users, or AD Groups.
    • Click on Save, once all other required details have been entered.

Configuration 

Service Authorizations

You can view and re-authorize your subscribed services, by using the following steps:

  1. Open the Collaboration Security area.
  2. Click on Configuration | Service Authorizations.

  3. You can click on Settings to see your subscription details for Microsoft SharePoint & OneDrive, where you can use the toggles to enable / disable Microsoft SharePoint and / or Microsoft OneDrive.

     
  4. You can click on Re-Authorize if you need to re-authorize Microsoft SharePoint & OneDrive:

    You would use the re-authorize option if you need to carry out "clean" re-installation.


  5. You can then click on Cancel, or on Re-Authorize to sign in as your Microsoft 365 Global Administrator, then authorize the application.

Settings

You can view and update your Settings, by using the following steps:

  1. Open the Collaboration Security area.
  2. Click on Configuration | Settings.

  3. You can use the TTP managed URLs confirmation tick-box to select whether Targeted Threat Protection (TTP) Managed URLs is enabled for Microsoft Teams, SharePoint & OneDrive. Click on Save to save your changes.
  4. If specific URLs need to be allowed, then this can be managed from Targeted Threat Protection - URL Protect - Managed URLs.

Reporting

You can set up Reports for your Detections data, including the frequency and who receives them.

You can manage Reports, by using the following steps:

  1. Open the Collaboration Security area.
  2. Click on Reports. This contains two tabs:
    • Archive: This shows a list of reports to date, where you can carry out the following actions, via the ellipsis "..." :
      • Resend a Report.
      • View a Report.
 
    •  Settings: You can use this to select which day of the week the Report is created on, and to choose which users and groups it's sent to.

Audit Logs

You can search for, review and export Audit Logs relating to your Collaboration Security service via the Mimecast Administration Console, by using the following steps:

  1. Log on to the Mimecast Administration Console.
  2. Navigate to Account | Audit Logs.
  3. Collaboration Security data is shown under the Collaboration Security Logs Category.

Audit Logs New-b-1000-s.jpg

Removing Mimecast app consent

If your trial has expired, or you no longer use Protection for Microsoft SharePoint & OneDrive, you can delete the app consent from the Microsoft Entra admin center. See Microsoft's page for more details.

Quarantined File Management

You can quickly access the Quarantine folder on your Microsoft SharePoint instance, by:

  • Opening a detection, and using the link that is displayed in the Filename section.

    Detection, Filename section
  • Via Configuration | Service Authorizations | Microsoft SharePoint & OneDrive.

    Quaratine folder link via Service Authorizations

By default, all Microsoft Global Administrators have access to the Quarantine folder.

See Also..

 

Related to

Was this article helpful?
1 out of 1 found this helpful

Comments

0 comments

Please sign in to leave a comment.