Protection for Microsoft SharePoint & OneDrive

Updated

This article contains information on Mimecast Protection for Microsoft OneDrive & SharePoint, detailing its features, setup process, historical scans, policy management, and file quarantine procedures to enhance document security within Microsoft environments. It is intended for Administrators.

Overview

Mimecast Protection for OneDrive & SharePoint allows users to store, share, and collaborate on documents securely. Fully integrated with Email Security Cloud Integrated and easy to manage by design, it lets you secure a rapidly expanding attack surface without burdening your end users with additional security challenges.

Key Features

  • Deep scanning of all newly uploaded or created files in near real-time.
  • Continuous scanning of files edited in the last 30 days.
  • 14-day historical scan on initial trial setup.
  • Full one-time historical scan for all Microsoft SharePoint & OneDrive files upon purchase.
  • Easy administration with a unified dashboard for Email and Collaboration Security.
  • Quarantining of malicious files, with easy file restoration for administrators when needed.
  • Optimized default policy out of the box.
  • Ability to create custom policies if needed.
  • Full deployment in minutes.

Prerequisites

To utilize this feature, you must meet the following requirements:

  • Have an active Email Security Cloud Integrated account.
  • Access to Microsoft SharePoint & OneDrive.
  • Have access to a Microsoft Global Administrator Role to grant app consent.
  • At a minimum, a Microsoft 365 Business Basic license is required to scan and remediate threats for Microsoft SharePoint & OneDrive.

Considerations

  • The file size limit is 100MB.
  • You may observe Quarantine in progress status for up to 5 minutes if many files are being moved to quarantine.
  • If you wish to enable Mimecast Protection for Microsoft OneDrive & SharePoint, speak to your Customer Support Manager (CSM).

Getting started

  1. Log into your Email Security Cloud Integrated console.
  2. Select More Mimecast Products from the navigation menu.
  3. Select Protection for Microsoft SharePoint & OneDrive.

If you are supported by a Managed Service Provider (MSP), then your Partner Administrator can do this for you.

  1. Navigate to More Mimecast Products from the left-hand menu.
  2. Click on Protection for Microsoft SharePoint & OneDrive to view the product features.
  3. Click "Get Started" to begin.
  4. The Next Steps gives more information to guide you in completing the setup.
  5. Click Continue to review the Terms and Conditions for the trial.

The terms and conditions step will be skipped automatically if you are a new customer and have been provisioned with a trial.

  1. Once the Terms and Conditions are accepted, we'll verify your details and take you to the policy setup.
  2. Select the service you want to protect, Both Services (recommended), or you can select SharePoint Only or OneDrive Only.

If you do not select both services, the historical will only apply to the selected service.

  1. Select your default policy, Monitor (recommended), or Protect, then select Save & Continue To Microsoft.
  2. You'll be redirected to the Microsoft application consent page using your Microsoft Global Administrator Role login and consent to the permissions required.
  3. When complete, you will be redirected to the Home page.

Historical Scans

Historical scans differ depending on the licensing level you have in place; see the table below to understand what scanning is available to you.

License Option Details
Trial License 14 Day Scan Mimecast will perform a historical scan on all files edited in the last 14 days. Once the scan is complete, you can select the action you would like to take. Detected threats can be viewed from the Detections page.
Full License All files, Users, and Directories

Mimecast will perform a full scan on all files within SharePoint and OneDrive and apply policy actions. When the process is complete, we will send you an email. Detected threats can be viewed from the Detections page.

 

This process can take several days or weeks, depending on the number of files and size.
Full License 30-Day Continuous Scanning Mimecast will perform periodic scans on all files edited in the last 30 days every 30 days. Detected threats can be viewed from the Detections page.

Detections

View File Details, Detection Events & Manual Threats Removal

You can view all scanned messages from the Detections page. By default, you'll see Malicious or Suspicious messages. You can click on a message to see full details.

If you're using Monitor mode or choose not to remove historical threats automatically, you can remove them manually by following the steps below:

  1. Navigate to the Detections page.
  2. Expand the Filter options by clicking the down arrow in the Filter By panel.
  3. Tick the checkboxes for the services you wish to filter by, i.e., SharePoint and/or OneDrive.

  1. Scroll down the Filter Options list, select the Status as Scanned, and then Apply.

  1. If the file should be Quarantined, click the Quarantine button.

From this screen, you can view detailed information about the file, the scan analysis, the policy action currently applied, and the recent scan history of the file.

  1. Provide a reason for the quarantine and confirm the action by clicking Quarantine.

  1. Once the file containing the malicious or suspicious URLs is Quarantined, the status of that message will be updated to Manually Quarantined.

The blocked attachments can be downloaded directly from the details section if needed.

Recent Scan History

On the file details screen, you can examine the Recent Scan History panel to view the scan results each time that file has been scanned. So, you will often see multiple entries in this list based on how often the file is modified or scanned by the policies configured.

You will often see multiple entries in this list based on the Scan Type and how often the file is modified or scanned by the policies set. For example:

  • Historical Scan.
  • 30-Day Continuous Scan.
  • Live Scan.

When searching for a file, you will see the results presented in the scan history order, with the most recent at the top, and when viewing scan results, if a more recent result is available for that file, you will see a banner with the option to View Latest Scan.

Policy Management

Creating a Policy

The default policy protects your whole organization; however, if you need to make changes, then you can create a custom policy using the following steps:

  1. Navigate to Policies | File Sharing.
  2. Click on New Policy.
  3. Select the Service (SharePoint or OneDrive).
  4. Provide a Name and Description for the policy to identify it in the logs easily.
  5. Select the policy Target (these differ depending on the service as outlined):
  • SharePoint:
    • All Files & Folders.
    • Files or Folders.
  • OneDrive:
    • All Users and Files.
    • Files or Folders.
    • AD Users.
    • AD Groups.

For targeted Files & Folders, copy and paste the file or folder path from SharePoint or OneDrive by locating the file or folder, then click the ellipses, followed by details and more details. Scroll down to "Path" and select the clipboard copy icon.

  1. Select a Mode - Protect or Disable.
  2. Select the Detection Action for each threat identification.
  • Malware - Quarantine is the default
  • Phishing - Quarantine is the default
  • Untrustworthy - Quarantine is the default
  1. Set your Alert Preferences. - Notification emails are sent to Administrators for each alert type.
  2. Scroll to the top and click Save.

Modifying Policies

  1. Navigate to Policies | File Sharing.
  2. Click on the specific policy row you wish to change.
  3. From here, you can:
  • Edit the currently selected policy (click Save to apply changes).
  • Duplicate the selected policy.
  • Restore the policy to its default settings.
  • Delete the current policy.

Quarantined File Management

Mimecast creates a Mimecast Quarantine folder in the root of SharePoint, where files are moved when threats are detected. This retains the file versioning information.

You can directly access the quarantine folder from the Detections page if you need to view the details of a quarantined file. To do this:

  1. Log in to Email Security Cloud Integrated.
  2. Navigate to the Detections menu item.
  3. Expand the Filter options by clicking the down arrow in the Filter By panel.
  4. Tick the checkboxes for the services you wish to filter by, i.e., SharePoint and/or OneDrive, and click Apply.
  5. Browse the filtered results for the detected file you wish to investigate.
  6. Once a quarantined item is selected, you can click the Open Quarantine Folder in SharePoint link button in the Filename section of the detailed view. (see below image)

You can also access the folder from the Service Authorization menu for SharePoint & OneDrive.

Managing App Consent

If you're experiencing permission issues or accidentally removed Mimecast app consent, you can reauthorize Mimecast.

To do this:

  1. Ensure you are logged in with a Global Administrator level account.
  2. Navigate to Configuration | Service Authorization.
  3. Click on SharePoint & OneDrive.
  4. Click on Reauthorize.
  5. Follow the on-screen prompts to confirm the action.

If your trial has expired or you no longer use Protection for Microsoft SharePoint & OneDrive, you can delete the app consent from the Azure Portal. See the Microsoft KB Article for more details.

Related to

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.