Mar 08 2021 01:34 AM
Hi,
With MCAS (by file policy or by Conditional Access App Control), would it be possible to act on single file if specific file property matches search criteria? E.g. if any value in multivalued property "Tags" in Office file matches "testtag01" or if any value in multivalued property "Keywords" in PDF file matches "testtag01". I've tried with O365 DLP, but with traditional Office 365 DLP issue is that those properties are not indexed in SharePoint search index by default and therefore DLP wont detect those.
Mar 08 2021 05:44 AM - edited Mar 08 2021 05:46 AM
@Petri Helin I think you'll probably need an Activity Policy for this. You can create an Activity Policy to match anything in the "Activity Object" field of the Activity Log entry. If the specific property you're interested in auditing isn't listed there, you can create a Service Ticket with Support to add any of the "Raw Data" fields we pull from O365. But it sounds like the specific property you're after isn't audited at all by SPO so I doubt you will find it in the Raw Data field of the Activity Log entry. I think you'll want to petition SPO to start auditing for the API Object and then MCAS to start calling for it - but I'm not entirely sure, frankly. Definitely wouldn't be a Session Policy (CAAC) and I couldn't find anything seemingly relevant for a File Policy.
Mar 08 2021 10:46 PM
Mar 09 2021 05:45 AM
@Petri Helin - you can filter by properties of the file. For example, you can create a File Policy that matches a file that's externally shared, when it was last modified, the mime type, file type, file name, etc. You can even filter by labels.
Does this answer your question?
Mar 09 2021 05:49 AM