Connect Incydr to OneDrive and SharePoint

Updated

Overview

To help protect you from data loss, you can use Incydr to monitor files moving to and from Microsoft OneDrive and SharePoint.

When you add Microsoft 365 - OneDrive and SharePoint as a data connection, you must authorize Incydr using your Microsoft global administrator account. Once connected, we monitor your organization's OneDrive and SharePoint environment to capture when a user:

  • Creates or uploads a file
  • Downloads a file
  • Shares a link to a file
  • Shares a file directly with users inside or outside your organization
  • Deletes a file

This article explains how to add OneDrive and SharePoint as a data connection.

Considerations

The following considerations apply to OneDrive. See also the considerations applicable to all cloud storage environments.

  • Incydr requires a Microsoft license or subscription that includes Audit (Standard) in order to monitor file activity in your OneDrive and SharePoint environments.
  • Audit must be turned on in your Microsoft environment.
  • Incydr attempts to use the Microsoft UserPrincipalName when displaying user information in Forensic Search. If this attribute in Azure is not an email address, trusted domains do not work as expected.
  • Microsoft limits API requests made by third-party integrations such as Incydr. Throttling these API requests allows Microsoft to better control their resources, but may slow down Incydr file metadata collection, especially after first configuring access to OneDrive and SharePoint.
  • Because Incydr prioritizes file-based monitoring, detection of sharing permissions changes to folders in OneDrive may be delayed.
Monitoring and alerting tools may report download activity
When ongoing file activity is detected, Incydr temporarily streams files from your cloud storage or email service to the Incydr cloud to calculate the file hash. (Hash values are not calculated during the initial inventory process.) 

This appears in your vendor logs as users downloading files. The requesting service's IP address may point to Microsoft Azure hosts. Consider adding these IP addresses to your allowlist to reduce false alerts in your vendor logs, keeping in mind that these addresses can change. 

File contents are never stored or written to disk during this process.

A single file event in Forensic Search may represent more than one action in cloud storage
There's not always a strict one-to-one relationship between the actions a user takes on a file in your corporate cloud storage environment and the file event representing those actions in Incydr. After detecting activity, Incydr makes a best effort to interpret the user's actions on a file in cloud storage. Incydr may combine several of those actions into one file event to more efficiently and effectively display those details. For example, a user modifying a file repeatedly a few seconds apart in the cloud storage environment may appear as one "file modified" event in Forensic Search.

Throttling of API requests by the cloud storage vendor can also slow Incydr's metadata collection and affect how file events are displayed in Forensic Search. Both this throttling and Incydr's interpretation of actions can cause multiple actions in cloud storage to be displayed in fewer events in Forensic Search.

Before you begin

Before you authorize the Incydr connection to your OneDrive and SharePoint environments, follow the directions in Configure Microsoft for the Incydr OneDrive and SharePoint data connection to properly set up your Microsoft environment to allow Incydr to collect data.

Authorize Incydr's connection to OneDrive and SharePoint

  1. Sign in to the Incydr console.
  2. Select Administration > Integrations > Data Connections.
  3. Click Add data connection.
    The Add data connection panel opens.
  4. From Data connection, select Microsoft 365 - OneDrive and SharePoint under Cloud storage.
  5. Enter a Display name. This name must be unique.
  6. Incydr prompts you to verify that auditing is turned on in your Microsoft environment. You completed this verification when you configured your Microsoft environment in preparation for the connection, so select the I've completed these steps check box and then click Continue.
  7. Select the scope of users to monitor:
    • All: Monitors all Microsoft 365 users in your environment.
    • Specific users: Monitors only the Microsoft 365 users you designate.
      1. Click Upload .CSV file.
      2. Select the scoping CSV file that contains a list of only those users you want to monitor.
    • Specific groups: Monitors only the users in the Microsoft 365 groups you designate.
      1. Click Upload .CSV file.
      2. Select the scoping CSV file that contains a list of only those Microsoft 365 groups whose users you want to monitor.
  8. In Incydr federal (FedRAMP) environments, an additional question appears: Is this data connection for a GCC High environment?
    • Select Yes or No, based on your environment type. If you don't know your environment type, contact your Microsoft administrator before continuing. You must select the correct environment type to authorize the connection and complete the setup.
  9. Click Authorize.
    The Microsoft sign in screen appears.
  10. Enter your Microsoft administrator credentials.

  11. Review the terms and agreements, including the permissions that the Incydr connection requires, and click Accept.
    Microsoft OneDrive and SharePoint is added as a data connection and Incydr begins the initial inventory process.

    Permissions can be delayed in Microsoft Azure
    The permissions you accept during the authorization process can take up to 1 hour to flow through your Microsoft Azure environment. During this time, Incydr may report an error with the new connection in the Data Connections list. This error clears automatically as soon as Incydr is able to access the Microsoft audit log.

Next steps

Now that you have added a data connection, learn more about:

Troubleshooting

Issues in your Microsoft environment can cause errors with the Incydr connection. When such issues occur, the connection in the Data Connections table is highlighted in red and an error message is displayed at the top of the screen. When this occurs, click the connection in the Data Connections table. The detail panel opens and lists the specific error so that you can resolve it.

Refer to these articles to troubleshoot specific errors that can appear for the OneDrive and SharePoint connection in the Data Connections list:

External resources

Microsoft:

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.