• State Not Answered
  • Locked Locked
  • Replies 4 replies
  • Subscribers 24 subscribers
  • Views 1413 views
  • Users 0 members are here
Options
Related
This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Guidance needed about monitoring OneDrive traffic

mr.e

Hello everyone!!!

We have been asked to provide reports about flow data usage by the Microsoft OneDrive application. I checked the Microsoft URL shown below, seeking for clarification:

https://support.office.com/en-us/article/Required-URLs-and-ports-for-OneDrive-ce15d2cc-52ef-42cd-b738-d9c6f9b03f3a

Unfortunately, the Microsoft article did not shed much light on this. So, I am hoping that some in this forum have faced the same (or similar) question and can share their insights on how we can accomplish this. Many thanks!!!  emoticons_cool.png

  • 0

    You'll have to let me know if you get a good answer, i am looking for the same thing. 

  • 0

    I would look for the destinations listed there from your flows.  Once you figure out which you are talking to you can filter on all the traffic going to and from that endpoint.

  • 0

    Hi all,

    I did some quick analysis of the one drive traffic. From an IP lookup point of view all of the IP addresses are registered to Microsoft so you may not be able to definitely say it was Onedrive activity using IP look up alone. I used our own LANGuardian system to do this analysis but you may be able to use some of the detail to setup reports on your own system.

    Protocols.JPG

    First up all of the traffic is encrypted, ignore the HTTP bit as that was me browsing other sites.

    Domains.JPG

    Drilling down on the HTTPS traffic it revealed that the data was associated with the live.com domain.

    onedrive.JPG

    Further analysis shows that this activity is associated with storage sub domains within live.com. LANGuardian captures this by dissecting the server's SSL certificate (which is always required to be presented to the client) and at this point it can extract the server\domain name. By filtering on this sub domain info it would then be possible to show how much data is associated with Onedrive

    ip.JPG

    Finally, looking at the GeoIP data I can see that the IP addresses are registered in the US. Nothing strange there as I think all of Microsofts IP blocks are US registered.

  • 0

    darragh.delaney is correct; you'll need to build an IP Address group and put all of the MS Subnets in that address group.  You should be able to get the IP addresses from Microsoft for your company. They will balk, and tell you the addresses will change, but stick with it. You'll probably get a fairly large address range.  Use port 443 and the address group to identify the OneDrive traffic.  We're globally distributed, and all of the address groups for OneDrive come back to the US, and so far we've not seen any deviation from those IP address groups for our business.   The address ranges will be fairly large (at least they are for us), and of course there's the possibility that some of the traffic going to those ranges may not be specifically OneDrive, but it's better than nothing.  Works for us, and so far they haven't changed the addresses after a year and a half.

SolarWinds solutions are rooted in our deep connection to our user base in the THWACK® online community. More than 195,000 members are here to solve problems, share technology and best practices, and directly contribute to our product development process.

SolarWinds Customer Success Center Certification Media Vault Link Accounts
About THWACK Blogs For Government Edit Settings Free Tools & Trials
Legal Documents Terms of Use Privacy California Privacy Rights Security Information
©2024 SolarWinds Worldwide, LLC. All Rights Reserved.