darragh.delaney is correct; you'll need to build an IP Address group and put all of the MS Subnets in that address group. You should be able to get the IP addresses from Microsoft for your company. They will balk, and tell you the addresses will change, but stick with it. You'll probably get a fairly large address range. Use port 443 and the address group to identify the OneDrive traffic. We're globally distributed, and all of the address groups for OneDrive come back to the US, and so far we've not seen any deviation from those IP address groups for our business. The address ranges will be fairly large (at least they are for us), and of course there's the possibility that some of the traffic going to those ranges may not be specifically OneDrive, but it's better than nothing. Works for us, and so far they haven't changed the addresses after a year and a half.
I did some quick analysis of the one drive traffic. From an IP lookup point of view all of the IP addresses are registered to Microsoft so you may not be able to definitely say it was Onedrive activity using IP look up alone. I used our own LANGuardian system to do this analysis but you may be able to use some of the detail to setup reports on your own system.
First up all of the traffic is encrypted, ignore the HTTP bit as that was me browsing other sites.
Drilling down on the HTTPS traffic it revealed that the data was associated with the live.com domain.
Further analysis shows that this activity is associated with storage sub domains within live.com. LANGuardian captures this by dissecting the server's SSL certificate (which is always required to be presented to the client) and at this point it can extract the server\domain name. By filtering on this sub domain info it would then be possible to show how much data is associated with Onedrive
Finally, looking at the GeoIP data I can see that the IP addresses are registered in the US. Nothing strange there as I think all of Microsofts IP blocks are US registered.
SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 150,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process. Learn more today by joining now.