To help protect you from data loss, you can use Code42 to investigate attachments sent through users' Microsoft Office 365 Outlook email accounts that are detected by data loss prevention policies set up in Microsoft Office 365.
You can set up data loss prevention policies in the Microsoft Office 365 Security & Compliance Center that identify when a user emails an attachment that matches those rules. When you add Microsoft Office 365 DLP as a email service data connection for Code42, information about those attachments becomes available in Forensic Search for investigation.
This article explains how to add Microsoft Office 365 DLP email as a data connection.
The following considerations apply to the Microsoft Office 365 DLP connection. See also the considerations applicable to all email services.
- Your organization's Microsoft Office 365 license must include access to the Security & Compliance Center to set up data loss prevention policies for email attachments. Those data loss prevention policies must be configured and tested before adding Office 365 email as a data connection in Code42.
- Code42 records one file event per attachment that is detected by a data loss prevention policy. If an email includes multiple attachments that match a policy, each attachment is recorded as an event.
Before you begin: Configure data loss prevention policies
Microsoft allows you to configure data loss prevention policies either in the Exchange Admin Center or in the Microsoft Office 365 Security & Compliance Center. Currently, Code42 can access attachment information only when an email attachment matches the rules in a policy configured in the Microsoft Office 365 Security & Compliance Center.
Configure and test data loss prevention policies in the Microsoft Office 365 Security & Compliance Center before adding Office 365 email as a data connection in Code42.
- Sign in to the Microsoft Office 365 Security & Compliance Center using your Office 365 administrator credentials.
- Go to Data loss prevention > Policy to set up or view your organization's data loss prevention policies.
- If needed, edit the appropriate policies to select Exchange email as one of the Locations monitored by the policy.
To enforce the policy on email attachments, Exchange email must be selected as one of the locations monitored by that policy.
- Test and enable the policy.
Data loss prevention policies with the "On" status or any "Test" status generate events in Code42.
Connect to Microsoft Office 365 DLP email
- Sign in to the Code42 console.
- Select Administration > Integrations > Data Connections.
- Click Add Data Connection.
The Add Data Connection dialog displays.
- From Data Connection, select Microsoft Office 365 DLP under Email Services.
- Enter a display name. This name must be unique.
- Click Authorize.
The Microsoft Office 365 sign in screen appears.
- Enter your Microsoft Office 365 administrator credentials.
- Review the terms and agreements, including the requested Office 365 email permissions, and click Accept.
Microsoft Office 365 DLP is added as an email data connection.
The next time that an attachment is emailed that is detected by a data loss prevention policy in the Microsoft Office 365 Security & Compliance Center, information about that file is recorded as an event by Code42. For details, see Attachment metadata below.
Now that you have added Microsoft Office 365 DLP as a data connection, learn more about:
Once you complete authorization, information about email attachments becomes available in Code42 Forensic Search. When an attachment that matches a data loss prevention policy in the Microsoft Office 365 Security & Compliance Center is detected, information about that attachment is sent to Code42. This attachment information includes the following:
- Hash, when available
- Data loss prevention policy that the attachment matched
- Email address of the sender and recipients
Email attachment information typically becomes available in Forensic Search results within 30 minutes, but may take longer in some cases.
The Date Observed for the event indicates the date and time the attachment was emailed through Microsoft Office 365, not when the file event appeared in Code42.
When a user emails an attachment that is detected by a rule in the data loss prevention policies your organization has set up in Microsoft Office 365 Security & Compliance Center, Code42 collects information about the attached file, the policy that the attachment matched, and the sender and recipients for the email.
To see this file activity, Code42 requires access to your Office 365 email environment. The Office 365 email permissions we request are:
This set of permissions means Code42 has read-only access to metadata for emails, attached files, users, and the data loss prevention activity feed (applicable to the Microsoft Office 365 DLP connection only) within that email service. In other words, Code42 cannot make changes to the emails, data, or users in your email environment. In addition, Code42 does not monitor the contents of those files, and does not back up files in the email service.
No file events in Forensic Search
If file events aren't appearing for email attachments in Forensic Search, verify that:
Data loss prevention policies for Exchange email are configured in the Microsoft Office 365 Security & Compliance Center.
Code42 can only monitor email attachments when those attachments match rules in policies configured in the Microsoft Office 365 Security & Compliance Center. You can also set up data loss prevention policies in the Exchange admin center, but file information about attachments that match these policies is not available in Forensic Search.
The policies set up in the Microsoft Office 365 Security & Compliance Center have been tested and are preventing attachments that match those rules from being emailed.
If no attachments match those policies, no file events are recorded by Code42. Use the log files generated by the Microsoft Office 365 Security & Compliance Center to determine whether attachments are being stopped as intended. Remember that each attachment that matches those policies is recorded as its own file event in Forensic Search. Multiple attachments to a single email can result in multiple file events.
The Microsoft Office 365 DLP email service has not been deauthorized in Code42.
Deauthorizing an email service in Code42 prevents Forensic Search from accessing or displaying that data. If needed, resume monitoring the email service to resume access to email attachment information. If the Code42 Email Services connection no longer exists in your Microsoft Office 365 environment, you need to re-add Microsoft Office 365 DLP as an email data connection for Code42.
Data connection is already registered or the email address is not valid
You can authorize a Microsoft 365 account in Code42 only once as a cloud service (to monitor file movement in OneDrive Drive locations) and once as an email service (to monitor file attachments sent outside your company).
When you attempt to register the same Microsoft 365 account for multiple cloud or email services, the following message appears: “This data connection has already been registered or the email address is not valid for this domain.” This message appears when you attempt to register the same account:
- For more than one cloud or email service in the same Code42 environment.
- In a second Code42 environment after first registering that account in a different Code42 environment.
To resolve the issue:
- Verify the Code42 environment with which the Microsoft 365 account has been registered. To register the Microsoft 365 account with a different Code42 environment, first deauthorize it in the Code42 environment where it is currently registered.
- Verify that the account has been added only once as a cloud service or only once as an email service.
- Consider creating another Microsoft 365 account for the data you want to monitor using a new email address under a different domain. You can add multiple unique Microsoft 365 accounts as Code42 data connections as long as the accounts are not associated in any way.