This article explains how to configure the Microsoft OneDrive connector for the SaaS Security API policy for your account and create a OneDrive rule for the Data Protection Policy
The SaaS Security API policy requires a separate license from Cato. Please contact your Cato representative or official reseller for more information.
Note
Note: Please contact SaaSecAPI@catonetworks.com or your official Cato reseller for more information about using the SaaS Security API policy.
Create the connectors for the Microsoft 365 and OneDrive SaaS apps.
Each Microsoft OneDrive app and Azure tenant (according to the 365 app) are subject the Microsoft's rate limiting. For more information, see the Microsoft documentation.
-
The Microsoft 365 connector requires an admin with the global admin role to give permissions to Cato's SaaS Security API
To enable Cato's SaaS Security API to scan assets and content for OneDrive files and folders, the connector gives Cato the following permissions and actions with the OneDrive app:
-
Grant access to the app using Oauth2
-
Receive a token from the app to establish and maintain a secure connection
-
Connect to the Microsoft APIs and fetch data and scan files according to the SaaS Security API Data Protection policy, including:
-
Read files in all the sites collections
-
Sign in and read the full profiles of the users
-
Write files in all the sites collections (coming soon)
-
This section explains how to create API connectors for Microsoft 365 and OneDrive, and to connect them to your Cato account.
To enable Cato's SaaS Security API to scan assets and content for Microsoft OneDrive, first you need to configure the Microsoft 365 connector as the parent app to give read permissions for the OneDrive connector. The parent app only has permissions to manage the Microsoft connectors. Afterwards, if necessary, you can create a separate Microsoft 365 connector for each Azure tenant.
Use the Cato Management Application to create the Microsoft 365 SaaS application connector for the Azure tenant for the Microsoft OneDrive app that your are scanning with SaaS Security API. You must have the correct credentials to authenticate to Microsoft OneDrive app to add it to your Cato account.
Before you can create and configure the connector settings, first you need to enable SaaS Security API for your account.
To create the Microsoft 365 parent connector:
-
From the navigation menu, select Security > SaaS Security API and make sure that the feature is Enabled.
-
Click Create Connector.
-
In the New Connector panel, select the Microsoft 365 app.
-
Click Authorize and Save.
A new browser tab opens to the Microsoft 365 app.
-
In the new browser tab, authenticate to the Microsoft 365 app:
-
Select the Microsoft account for the Microsoft 365 app.
Otherwise there may be a Microsoft authentication error.
-
Enter the password for the app and approve it.
-
Accept the permissions to let Cato access the Microsoft 365 app.
-
The screen shows that you have successfully applied the permissions for the app.
You can close the browser tab and return to the Cato Management Application.
-
-
The Microsoft 365 SaaS application is added to the Connectors Settings screen.
The Microsoft OneDrive connector lets the Cato SaaS API engine scan emails for the content that you define in the Data Protection policy.
To create the connector for Microsoft OneDrive:
-
From the navigation pane, select Security > SaaS Security API and select or expand Connectors Settings.
-
Click New. The New Connector window opens.
-
Create a new OneDrive SaaS Application, for the Connector Parent you created in the previous section.
Currently, only Read permissions and actions are supported for the OneDrive app. However, Read/Write permissions and actions are coming soon.
-
Click Authorize and Save.
-
In a new browser tab, authenticate to the OneDrive app.
-
Select the Microsoft account for the OneDrive app and log in.
-
Enter the password for the app and approve it.
-
Accept the permissions for Cato to access the OneDrive app.
-
The screen shows that you have successfully applied the permissions for the app.
You can close the browser tab and return to the Cato Management Application.
It can take Microsoft Azure several seconds to process the request, so if you receive an error, refresh the browser.
-
-
The OneDrive SaaS application is added to the Connectors Settings screen.
The Status column on the Connectors Settings screen shows the status of the connection between the Microsoft app and your Cato account. These are the explanations of the statuses:
-
Connected - Your account is connected to the app and working correctly
-
Connection Warning - Some of the users in the Azure tenant are not configured correctly to support Cato's SaaS Security API (such as, no email address defined for the user). Please open a ticket with Support.
-
Connection Error - Connectivity or permissions issue, or rate limiting (Microsoft limitation) with the Microsoft connector. Please open a ticket with Support.
-
Pending User Consent - The OneDrive connector is created in the Connect Settings screen, however you haven't completed the process in the OneDrive account to authorize it to connect to Cato.
This section explains how to use the Data Protection policy to monitor and manage the actions that your users perform with OneDrive files. For example, sharing files, creating new files, uploading and so on.
For more about DLP Content Profiles, see Creating DLP Content Profiles.
When you create a Data Protection rule, you can define different actions to monitor or remediate the policy violations when the rule is matched. Each action automatically generates an event, and you can also choose to receive an email notification. For more about SaaS Security API events, see below Analyzing SaaS Security API Events.
These are the actions you can set for the Data Protection engine to perform when a rule is matched:
-
Monitor - Generates an event to let you monitor traffic that matches the rule.
-
Remove Share - When a user tries to share a file, the SaaS Security API engine removes the unauthorized sharing permission, and the user who receives a link to the shared file won't have permissions to access the file.
-
Quarantine - When a user tries to upload a file, the SaaS Security API engine moves it to a quarantine folder and then users can no longer access it. The Onedrive admin can access the file in the quarantine folder. For information about configuring quarantine folders, see Preparing for File Quarantine.
Configure quarantine folders for Data Protection and Threat Prevention rules, and define the OneDrive admin with permissions to access the folders. You can configure quarantine folders for each OneDrive admin for the tenant. When you configure the folders, you can then create rules with the Quarantine action, and define the folder that the file is moved to.
To configure quarantine folders for a OneDrive admin:
-
From the navigation pane, select Security > SaaS Security API and select the Settings tab.
-
Click New. The Quarantine Folder panel opens.
-
Select the OneDrive application connector.
-
Select the OneDrive admin to have access to these quarantine folders.
-
Click Save.
A Data Protection folder and a Threat Prevention folder are created for the admin, and can be configured in rules with the Quarantine action. The folders are named with the admin's email address, and located in the following OneDrive directories:
-
Data Protection folder: Cato_Qarantine/Cato_Qarantine_DataProtection
-
Threat Prevention folder: Cato_Qarantine/Cato_Qarantine_ThreatPrevention
-
Use the Data Protection page to add the SaaS application rules in your Data Protection policy.
Create a Data Protection rule to define the traffic that is scanned by SaaS Security API. Create separate rules for each SaaS app connector, and then define the criteria which determines which traffic is scanned.
For more information about the OneDrive rule settings, see below Understanding the OneDrive Rules.
To create a new Data Protection rule for the OneDrive app:
-
From the navigation pane, select Security > SaaS Security API and select or expand Data Protection.
-
Click New. The New Rule panel opens.
-
In Application Connector, select the OneDrive app.
-
In the General section, enter the settings for the rule.
-
In Owner, select one or more OneDrive file owners (default value is Any).
When you select multiple owners, there is an OR relationship between them.
-
In Sharing Options, select one or more file permission types (default value is Any).
When you select multiple options, there is an OR relationship between them.
-
In Attachments, define the criteria to specify the files which are scanned (the default setting is to scan all files).
-
In Content Profile, select the DLP Content Profile for this rule.
-
Select an Action.
For the Quarantine action, select a Quarantine folder path. For more about quarantine folders, see above ???.
-
(Optional) Configure tracking options to generate Events and Send Notifications.
For more information about notifications, see the relevant article for Subscription Groups, Mailing Lists, and Alert Integrations in the Alerts section.
-
Click Save. The rule is added to the Data Protection policy.
This section explains how to define the settings for the Data Protection rules to scan the correct OneDrive traffic. Each rule can be defined according to the following criteria:
-
Owner - individual users, or Azure types of users that are the owners of the relevant OneDrive directories (default value is Any)
-
Sharing Options - Select the types of file sharing permissions that match this rule (default value is Any)
For example, to monitor files that are shared with any external users, select External Link.
-
Attachments - Criteria for attachments that are scanned (default value is all attachments)
-
File Type
-
File Name
-
File Size (maximum file size is 100 MB)
-
-
Content Profile - DLP Content Profile that defines the DLP content inspection (Security > DLP Configuration > Content Profile)
-
Actions - See above Understanding OneDrive Actions
You can define specific files (or attachments) for a rule and limit the SaaS API engine to only scan the specified files to see if they match the DLP Content Profile.
When you add multiple files to a rule, select the relationship between them:
-
Satisfy any (OR) - Match only one of the File Types in the rule
-
Satisfy all (AND) - Match all the File Types in the rule (otherwise, the rule is ignored)
You can use the File Name setting in a rule to define the exact file name or use wildcards to define keywords. For example, you can define the File Name as internal to match all file names that contain the word internal.
The SaaS Security API engine inspects the data sequentially, and checks to see if it matches a rule. If the data does not match a rule, then it is not inspected. Rules that are at the top of the rulebase have a higher priority and they are applied before the rules lower down in the rulebase. Each type of application or connector is only applied to the data once.
Best Practice - To maximize the efficiency of your rulebase, we recommend that for each connector type, rules for specific users have a higher priority than rules that apply to Any users.
For example, if the data matches a connector in rule #2, the data is inspected by the SaaS Security API engine. The engine does not continue to apply rules #3 and below for the same connector. However, the data could match a lower priority rule with a different connector.
You can create Threat Protection rules for the connector to scan files and attachments for malware and viruses using the Anti-Malware and Next Gen Anti-Malware engines that are enabled for your account. The SaaS Security API engine scans the connector traffic and applies the action and tracking options that you configure for the rule.
These are the actions you can set for the Threat Protection engine to perform when a rule is matched:
-
Monitor - Generates an event to let you monitor traffic that matches the rule.
-
Remove Share - When a user tries to share a file, the SaaS Security API engine removes the unauthorized sharing permission, and the user who receives a link to the shared file won't have permissions to access the file.
-
Quarantine - When a user tries to upload a file, the SaaS Security API engine moves it to a quarantine folder and then users can no longer access it. The Onedrive admin can access the file in the quarantine folder. For information about configuring quarantine folders, see Preparing for File Quarantine.
Each action automatically generates an event, and you can also choose to receive an email notification. For more about SaaS Security API events, see below Analyzing SaaS Security API Events.
When you create a SaaS Security API Threat Protection rule, the Anti-Malware engines that are enabled for your account (Security > Anti-Malware) perform malware scans on the files that are sent for that connector application.
The following screenshot shows a Threat Protection rule for the OneDrive connector that scans files sent by Internal users or Guests:
Sometimes there is file blocked by Cato's SaaS Security API engines that you know is safe, and you need to allow it in the network. The Events page lets you use the file hash to create exceptions that bypass the Threat Protection scans. After you open an event for the specific file that was blocked, click the file hash to open the Exception Configuration panel and add the file as an exception for the account. You can choose the time duration for the file exception, or configure the exception to last forever.
File Exceptions for Anti-Malware and SaaS Security API
File exceptions apply across the Anti-Malware and SaaS Security API Threat Protection policies. When you create exceptions from Anti-Malware and NG Anti-Malware events, these exceptions also apply to the SaaS Security API Threat Protection policy. Similarly, when you create file exceptions from SaaS Security API Anti-Malware events, the exceptions also apply to the Anti-Malware policy. The full file exception list is shown on both the Anti-Malware page and the SaaS Security API Threat Protection page.
To create an exception for a file:
-
From the navigation menu, select Monitoring > Events.
-
Filter for the event using the Sub-Type of SaaS Security API Anti Malware.
-
From the Time column, expand the event.
-
In the event, click the File Hash link.
The Exception Configuration panel opens.
-
From the Duration drop-down menu, select how long the file is excluded from the Anti-Malware and NG Anti-Malware engines.
To create a permanent exception, select Forever.
-
Click Apply.
The exception is created and added to the File Exceptions section in the Threat Protection tab, and in the Anti-Malware page.
Remove an exception for the Threat Protection policy when it is no longer necessary.
The Monitoring > Events screen shows all the SaaS Security API events for your account. The powerful search tools let you drill-down and identify the few events that contain the relevant data that you need.
SaaS Security API events can be identified by the following fields:
-
Event Type - Security
-
Sub-Type - SaaS Security API Data Protection and SaaS Security API Anti Malware
You can learn more about using the Events screen here. You can use the SaaS Security API Data Protection preset to filter the events.
Field Name |
Description |
---|---|
Collaborators |
Email addresses of the users that received the file |
Connector Name |
Name for the connector that is defined for the rule |
Connector Type |
SaaS app that is defined for this connector |
DLP Profile |
DLP Content Profile that generated this event |
File Name |
Name of the attached file |
Matched Data Types |
Data Types in the Content Profile that matched the rule |
Owner |
File owner |
Parent Connector Type |
Parent Microsoft 365 connector |
Rule |
Name of the rule in the Data Protection policy |
Severity |
Severity defined for the rule |
Sharing Scope |
Sharing Options for the OneDrive file |
0 comments
Please sign in to leave a comment.