4 Replies Latest reply on Feb 2, 2017 10:16 AM by scubadvr

    Guidance needed about monitoring OneDrive traffic

    mr.e

      Hello everyone!!!

      We have been asked to provide reports about flow data usage by the Microsoft OneDrive application. I checked the Microsoft URL shown below, seeking for clarification:

       

      https://support.office.com/en-us/article/Required-URLs-and-ports-for-OneDrive-ce15d2cc-52ef-42cd-b738-d9c6f9b03f3a

       

      Unfortunately, the Microsoft article did not shed much light on this. So, I am hoping that some in this forum have faced the same (or similar) question and can share their insights on how we can accomplish this. Many thanks!!! 

       

       

        • Re: Guidance needed about monitoring OneDrive traffic
          jeremymayfield

          You'll have to let me know if you get a good answer, i am looking for the same thing. 

          • Re: Guidance needed about monitoring OneDrive traffic
            ecklerwr1

            I would look for the destinations listed there from your flows.  Once you figure out which you are talking to you can filter on all the traffic going to and from that endpoint.

            • Re: Guidance needed about monitoring OneDrive traffic
              darragh.delaney

              Hi all,

              I did some quick analysis of the one drive traffic. From an IP lookup point of view all of the IP addresses are registered to Microsoft so you may not be able to definitely say it was Onedrive activity using IP look up alone. I used our own LANGuardian system to do this analysis but you may be able to use some of the detail to setup reports on your own system.

              Protocols.JPG

              First up all of the traffic is encrypted, ignore the HTTP bit as that was me browsing other sites.

               

              Domains.JPG

              Drilling down on the HTTPS traffic it revealed that the data was associated with the live.com domain.

               

              onedrive.JPG

              Further analysis shows that this activity is associated with storage sub domains within live.com. LANGuardian captures this by dissecting the server's SSL certificate (which is always required to be presented to the client) and at this point it can extract the server\domain name. By filtering on this sub domain info it would then be possible to show how much data is associated with Onedrive

               

              ip.JPG

              Finally, looking at the GeoIP data I can see that the IP addresses are registered in the US. Nothing strange there as I think all of Microsofts IP blocks are US registered.

              • Re: Guidance needed about monitoring OneDrive traffic
                scubadvr

                darragh.delaney is correct; you'll need to build an IP Address group and put all of the MS Subnets in that address group.  You should be able to get the IP addresses from Microsoft for your company. They will balk, and tell you the addresses will change, but stick with it. You'll probably get a fairly large address range.  Use port 443 and the address group to identify the OneDrive traffic.  We're globally distributed, and all of the address groups for OneDrive come back to the US, and so far we've not seen any deviation from those IP address groups for our business.   The address ranges will be fairly large (at least they are for us), and of course there's the possibility that some of the traffic going to those ranges may not be specifically OneDrive, but it's better than nothing.  Works for us, and so far they haven't changed the addresses after a year and a half.