Differentiate Between Business and Personal Sync Folders

When files are copied/moved to local sync folders, the Agent can extract attributes of local sync folders. From these attributes, it is possible to differentiate between exfiltration to business or personal sync folders.

The Agent detects attributes of local sync folders Files/Resources > Attributes when Web File Sync activity occurs. Since each type of sync folder contains different attributes that can be detected, the Sync General Identifier attribute was developed and it contains the most important attribute for identification any supported sync folder.

Currently only OneDrive is supported.

From version 3.1.0.x, these attributes are supported for prevention rules for Mac Agents for One Drive only. You can now set a prevention rule using these attributes.

The table shows some attributes included in the Attributes field for One Drive with examples.

Attribute	Example
Sync Account Kind	Personal
Sync Login ID	20d8b0d170b829f6
Sync Login EMail	mickey4work@gmail.com
Sync Login EMail Domain	gmail.com
Sync General Identifier	gmail.com

Prevention Rule Example: Blocking Non-Business Activity at Proofpoint

This is an example of creating a rule using the Device/Sync Folder field to identify Web File Sync for personal use at Proofpoint. If the Identifier does not detect proofpoint.com then the file movement was probably personal.

1. From Proofpoint Data Security & Posture, select the Administration app. Select Endpoints > Prevention Rules.

2. Click New Rule and from the Prevention Rule area and click Create Rule.

3. In General tab, complete the Name field and Description (optional) field.

4. Click Next to continue.

5. In the Activity and Action tab, in the Activity area, select Cloud Sync Folder from the list. Click Next.

   

6. In the Action area, select Block.

7. In the Settings tab, in the If section, Cloud Sync Folder displays as the Protocol.

8. Add One Drive as the sync product. Select > Select Field and from the list of fields, select Devices >  Sync Product Name. Select One Drive as the Value and set the operator to In. Click Add Row.

9. Add Proofpoint as the Sync General Identified that contains the important attribute that identifies Proofpoint in One Drive. Select > Select Field and from the list of fields, select Devices >  Attributes. Select Sync General Identifer:proofpoint.com as the Value and set the operator to Not In.

   

10. In the Then area, select Block

11. From the Agent Policies, select the Agent Policies. Click Save.

    Activity to any One Drive sync folder other than Proofpoint is blocked.

Exploration Example: Review Non-Business Activity at Proofpoint

This is an example of identifying non-business web sync folders in an Exploration.

1. From Proofpoint Data Security & Posture, select the Analytics app. From the left-side-menu, select Activity > Explorations. Click New Exploration button.

   Your new exploration opens and you see the source node. You can see and change the details as needed.

2. To select Web File Sync activity. Click + and configure the next node. From Filter by, select Activity > Primary Category > Web File Sync. Click Done.

3. To see all activity on One Drive, click + and configure the next node. From Filter by, select Devices > Sync Product Name > One Drive. Click Done.

4. To see all activity non-Proofpoint, click + and configure the next node. From Filter by, select Devices > Attributes > Sync General Identifier:proofpoint, inc. Make sure to select Excludes from the operators. Click Done.

   

   All Web file sync activity not to Proofpoint displays.