Overview
When you connect Incydr to Microsoft OneDrive and SharePoint, you grant certain permissions to Incydr in your Microsoft environment. This article lists the permissions Incydr requires as well as what those permissions allow Incydr to do in your Microsoft environment.
Permission requirements
Incydr collects file events from OneDrive and SharePoint. A file event is any activity observed for a file. For example, creating, modifying, sharing, renaming, moving, or deleting a file generates an event for that file. To see this file activity, Incydr requires access to your OneDrive and SharePoint environment. The permissions we request are:
- Directory.Read.All: Required to identify in-scope users and group membership.
- Files.Read.All: Required to request additional file metadata, stream a file for hashing, and to determine a file’s category when analyzing file activity.
- Files.ReadWrite.All: Required to grant temporary access to view a file and to view and manage sharing permissions.
- ActivityFeed.Read: Required to read audit events from the Office 365 Management Activity API.
- Sites.ReadWrite.All: Required for preventative controls to disable sharing for a user.
This set of permissions gives Incydr the access to user information, file metadata, and drives needed to monitor file activity, as well as the ability to block cloud shares with Incydr's preventative controls. This set includes manage and write permissions required for the Incydr data connection. However, Incydr is committed to data integrity and does not:
- Write to or modify content in your cloud storage environment
- Monitor the contents of files in cloud storage
- Back up files in cloud storage
The Incydr data connection uses the Files.ReadWrite.All permission to allow security analysts to:
- Temporarily view cloud storage files in an investigation
- View a cloud storage file's sharing permissions to assess risk when a file is shared either publicly or with untrusted users
Why Incydr does request write permissions?
Incydr only uses write access to modify sharing permissions—never to change your file content. However, because Microsoft does not provide a permission scoped to only edit sharing permissions, Incydr must request the Files.ReadWrite.All permission. Incydr only uses this permission to:
- Allow analysts to temporarily change sharing permissions so they can view files during security investigations
- Enable analysts to revoke risky or unauthorized file sharing
- Apply preventative controls to block high-risk users from sharing files externally
More information on file activity
For more information on the specific metadata and file events visible in Forensic Search, see the File event metadata reference.
External resources
Microsoft documentation: Microsoft Graph permissions reference
Comments
Please sign in to leave a comment.