Forum Discussion

adiii's avatar
adiii
Brass Contributor
Jan 10, 2024

What is "Microsoft SharePoint Online and OneDrive for Business Infra Endpoints" in Cloud Apps

Hi all!

 

I have a Cloud Apps "Cloud Discovery anomaly detection policy" active, which alerts when Data exfiltration to an app that is not sanctioned. This helps me understand, when a user tries to upload more than x GB data.

 

I have an alert to the cloud app Microsoft SharePoint Online and OneDrive for Business Infra Endpoints

 

What is this app and what is the difference to the "normal" Microsoft OneDrive for Business?


Thanks in advanced for any hint!
Regards,

Adii

7 Replies

  • BarryGoblon's avatar
    BarryGoblon
    Iron Contributor
    Feb 15, 2024

    adiii Adii, the “Infra Endpoints” app covers networking architecture that enables large OneDrive/SharePoint transfers behind the scenes. So big uploads can trigger alerts there instead of the SharePoint/OneDrive apps, diminishing visibility for incident response.

     

    I agree having distinct front-end and back-end apps fragments visibility in a way that hinders monitoring. Please provide that feedback to Microsoft. In the meantime, engage me when Infra Endpoint alerts occur and I can help investigate details through other audit logs. But consolidating apps would help address this responder blind spot.

    • GI472's avatar
      GI472
      Brass Contributor
      Mar 07, 2024
      Hi Barry,
      I have this exact same problem except my alert only has the IP address on a particular day. We have 7 devices used that IP address on that day, so I am really struggling to find out who sent what to where and when.
      Do you have any idea on how I can find this out? For context, I have really struggled to investigate these alerts if the end user doesn't recognise the activity, so any tips are greatly appreciated!
    • adiii's avatar
      adiii
      Brass Contributor
      Feb 19, 2024

      Hi BarryGoblon  - Thanks for the response. Do you know the best way / contact to send that to microsoft?

  • LeonPavesic's avatar
    LeonPavesic
    Silver Contributor
    Jan 10, 2024

    Hi adiii,

    "Microsoft SharePoint Online and OneDrive for Business Infra Endpoints" combines a set of destination IP addresses, DNS domain names, and URLs essential for Microsoft 365 traffic on the Internet.

    These endpoints are vital for establishing connectivity from a user's device to Office 365 and are categorized into four service areas representing three primary workloads and a set of common resources.

    The distinction between "Microsoft SharePoint Online and OneDrive for Business Infra Endpoints" and the conventional "Microsoft OneDrive for Business" lies in their intended purpose and functionality:

    • OneDrive for Business serves as an individual's personal storage in Microsoft's cloud, where confidential documents and files can be stored without accessible to others in the organization.

    • SharePoint Online, on the contrary, functions as collaborative cloud storage, suitable for documents intended for group collaboration among colleagues. It offers advanced features such as news posting and enhanced collaboration tools, fostering efficient communication and teamwork on shared projects.

    In summary, both OneDrive for Business and SharePoint Online provide storage in Microsoft's cloud, with OneDrive primarily serving to personal use and SharePoint serving as a platform for collaborative work.
    Office 365 URLs and IP address ranges - Microsoft 365 Enterprise | Microsoft Learn
    Microsoft 365 endpoints - Microsoft 365 Enterprise | Microsoft Learn


    Please click Mark as Best Response & Like if my post helped you to solve your issue.
    This will help others to find the correct solution easily. It also closes the item.


    If the post was useful in other ways, please consider giving it Like.


    Kindest regards,


    Leon Pavesic
    (LinkedIn)

    • adiii's avatar
      adiii
      Brass Contributor
      Jan 12, 2024
      Hi Leon

      Thanks for your response. I still not understand the behaviour of the alert from Cloud Apps and how to respond to it. Do you have an example, when "... infra Endpoint" and normal Onedrive / Sharepoint is used?

      In the meantime I had a discussion with the user and he created large VM disk files within his Documents Folder, which is synced to Onedrive. I do not understand why the alert comes up in the App "Microsoft SharePoint Online and OneDrive for Business Infra Endpoints" and not in conventional Onedrive / Sharepoint.

      Any ideas? Thanks a lot, appriciate your time!

      Regards,
      Adii

      • LeonPavesic's avatar
        LeonPavesic
        Silver Contributor
        Jan 12, 2024

        Hi adiii,

        the reason the alert appears in the app "Microsoft SharePoint Online and OneDrive for Business Infra Endpoints" instead of the conventional OneDrive/SharePoint is connected to specific network traffic patterns associated with the upload.

        The "Infra Endpoints" can be involved in handling such large data transfers, so it triggers the alert.


        Please click Mark as Best Response & Like if my post helped you to solve your issue.
        This will help others to find the correct solution easily. It also closes the item.


        If the post was useful in other ways, please consider giving it Like.


        Kindest regards,


        Leon Pavesic
        (LinkedIn)

Resources