To help protect you from data loss, you can use Code42 Forensic File Search to investigate attachments sent through users' Microsoft Office 365 Outlook email accounts that are detected by data loss prevention policies set up in Microsoft Office 365.
You can set up data loss prevention policies in the Microsoft Office 365 Security & Compliance Center that identify when a user emails an attachment that matches those rules. When you add Office 365 email as a data source for Code42 Forensic File Search, information about those attachments becomes available in Forensic File Search for investigation.
This article explains how to add Office 365 email as a data source for Forensic File Search.
- To allow Code42 access to Office 365 email, you must be a global administrator in Office 365.
- Your organization's Microsoft Office 365 license must include access to the Security & Compliance Center to set up data loss prevention policies for email attachments. Those data loss prevention policies must be configured and tested before adding Office 365 email as a data source in Code42.
- Once authorized, Code42 Forensic File Search has access to metadata on email attachments that are detected by the policies you have set up in the Microsoft Office 365 Security & Compliance Center. Learn more about what Code42 monitors.
- Forensic File Search monitors only email attachments; email message content is not accessed, monitored, or changed.
- Forensic File Search records one file event per attachment that is detected by a data loss prevention policy. If an email includes multiple attachments that match a policy, each attachment is recorded as an event.
- You must be licensed for Code42 Forensic File Search. If your license expires, the Office 365 email data source is deauthorized within 24 hours. If you need assistance with licensing, contact your Customer Success Manager (CSM). If you're not sure how to reach your CSM, email firstname.lastname@example.org.
Code42 Forensic File Search temporarily streams files from your data source to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.
Code42 never stores file contents or writes them to disk during this process.
Before you begin
Before adding Office 365 email as a data source:
- In Code42, configure Forensic File Search.
- Use the Microsoft Office 365 Security & Compliance Center to configure data loss prevention policies that monitor email attachments.
Configure data loss prevention policies
Microsoft allows you to configure data loss prevention policies either in the Exchange Admin Center or in the Microsoft Office 365 Security & Compliance Center. Currently, Code42 Forensic File Search can access attachment information only when an email attachment matches the rules in a policy configured in the Microsoft Office 365 Security & Compliance Center.
Configure and test data loss prevention policies in the Microsoft Office 365 Security & Compliance Center before adding Office 365 email as a data source in Code42.
- Sign in to the Microsoft Office 365 Security & Compliance Center using your Office 365 administrator credentials.
- Go to Data loss prevention > Policy to set up or view your organization's data loss prevention policies.
- If needed, edit the appropriate policies to select Exchange email as one of the Locations monitored by the policy.
To enforce the policy on email attachments, Exchange email must be selected as one of the locations monitored by that policy.
- Test and enable the policy.
Data loss prevention policies with the "On" status or any "Test" status generate events in Code42 Forensic File Search.
Add Office 365 email
- Sign in to the administration console.
- Select Investigation > Data Sources.
- Click Add Data Source.
The Add Data Source dialog displays.
- From Data Source, select Microsoft Office 365 DLP under Email Services.
- Enter a display name. This name must be unique.
- Click Authorize.
The Microsoft Office 365 sign in screen appears.
- Enter your Microsoft Office 365 administrator credentials.
- Review the terms and agreements, including the requested Office 365 email permissions, and click Accept.
Microsoft Office 365 DLP is added as an email data source for Forensic File Search.
The next time that an attachment is emailed that is detected by a data loss prevention policy in the Microsoft Office 365 Security & Compliance Center, information about that file is recorded as an event in Forensic File Search. For details, see Office 365 attachment metadata below.
Now that you have added Office 365 email as a data source for Forensic File Search, learn more about:
Office 365 attachment metadata
Once you complete authorization, information about email attachments becomes available in Code42 Forensic File Search. When an attachment that matches a data loss prevention policy in the Microsoft Office 365 Security & Compliance Center is detected, information about that attachment is sent to Forensic File Search. This attachment information includes the following:
- Hash, when available
- Data loss prevention policy that the attachment matched
- Email address of the sender and recipients
Email attachment information typically becomes available in Forensic File Search within 30 minutes, but may take longer in some cases.
The Date Observed field for the event in Forensic File Search records the date and time the attachment was emailed through Microsoft Office 365, not when the file event appeared in Code42.
Office 365 email permissions
When a user emails an attachment that is detected by a rule in the data loss prevention policies your organization has set up in Microsoft Office 365 Security & Compliance Center, Forensic File Search collects information about the attached file, the policy that the attachment matched, and the sender and recipients for the email.
To see this file activity, Code42 requires access to your Office 365 email environment. The Office 365 email permissions we request are:
This set of permissions means Code42 has read-only access to metadata for emails, attached files, users, and the data loss prevention activity feed (applicable to Microsoft Office 365 only) within that email data source. In other words, Code42 cannot make changes to the emails, data, or users in your email environment. In addition, Forensic File Search does not monitor the contents of those files, and does not back up files in the email data source.
No file events in Forensic File Search
If file events aren't appearing for email attachments in Forensic File Search, verify that:
Data loss prevention policies for Exchange email are configured in the Microsoft Office 365 Security & Compliance Center.
Forensic File Search can only monitor email attachments when those attachments match rules in policies configured in the Microsoft Office 365 Security & Compliance Center. You can also set up data loss prevention policies in the Exchange admin center, but file information about attachments that match these policies is not available in Forensic File Search.
The policies set up in the Microsoft Office 365 Security & Compliance Center have been tested and are preventing attachments that match those rules from being emailed.
If no attachments match those policies, no file events are recorded in Forensic File Search. Use the log files generated by the Microsoft Office 365 Security & Compliance Center to determine whether attachments are being stopped as intended. Remember that each attachment that matches those policies is recorded as its own file event in Forensic File search. Multiple attachments to a single email can result in multiple file events.
The Microsoft Office 365 DLP data source has not been deauthorized in Code42.
Deauthorizing a data source in Code42 prevents Forensic File Search from accessing or displaying that data. If needed, reauthorize the data source to resume access to email attachment information. If the Code42 Email Services connection no longer exists in your Microsoft Office 365 environment, you need to re-add Microsoft Office 365 DLP as an email data source for Code42.
Data source is already registered or the email address is not valid
You can authorize a Microsoft 365 account in Code42 only once as a cloud service data source (to monitor file movement in OneDrive Drive locations) and once as an email service data source (to monitor file attachments sent outside your company).
When you attempt to register the same Microsoft 365 account for multiple cloud or email services, the following message appears: “This data source has already been registered or the email address is not valid for this domain.” This message appears when you attempt to register the same account:
- For more than one cloud or email service in the same Code42 environment.
- In a second Code42 environment after first registering that account in a different Code42 environment.
To resolve the issue:
- Verify the Code42 environment with which the Microsoft 365 account has been registered. To register the Microsoft 365 account with a different Code42 environment, first deauthorize it in the Code42 environment where it is currently registered.
- Verify that the account has been added only once as a cloud service or only once as an email service.
- Consider creating another Microsoft 365 account for the data you want to monitor using a new email address under a different domain. You can add multiple unique Microsoft 365 accounts as Code42 data sources as long as the accounts are not associated in any way.