Not seeing all data in the Office 365 Securlet regarding exposed and unexposed files.
A document will only show up as exposed once the share link has been accessed. This is how the API traffic displays the share from O365 to CloudSOC.
Files that are public and shared. if a document is shared via a link that can be accessed by anyone, the document will show up as Exposed Content, but only after having the link accessed by the external user. It doesn't show up until it has been accessed.
A user can create public links to files or share files to external addresses and there is no visibility of these exposures until the file is accessed by the emailed recipient for the external share or accessed through the created public link. There is no way to remove, or even know about, these exposures before they are accessed once.
Through the Securlet dashboard, any files that are not exposed and does not contain a keyword that triggers a DLP profile will not be visible in any way to Symantec admins. Only files that have been exposed (accessed by the outside) or have a potential to expose DLP profile data are visible.
For O365, if a user performs an action against a file, (share, upload, etc.) it can take up to 6 hours for that to be reflected in the Securlet, although the action should be seen in Investigate in minutes. This means if we have a policy to remove public exposures, a link can be created and emailed out, and the file accessed until the Securelet becomes aware, scans it and applies applicable policy.
Subscribing will provide email updates when this Article is updated. Login is required.