Use admin quarantine to investigate files
Files in cloud storage can store sensitive information that might not be adequately protected. Using Microsoft Defender for Cloud Apps, you can scan these files and apply actions for the file. You can choose to be notified of the file matching your policy, or you can choose to automatically quarantine the file. By using quarantine, the file can be reviewed and restored if it is found to be safe. So that users know what actions have been taken, a tombstone file is uploaded in place of the quarantined file.
The available actions that can be performed on the file depend on the cloud file storage solution. For example Box can place a file into admin quarantine, and Microsoft OneDrive for Business and Microsoft SharePoint can place a file into admin quarantine once a folder has been configured.
The following example configures an admin quarantine policy for payment card information, but many other templates can be used for alternative policies.
Configure an admin quarantine policy for payment card information
To configure an admin quarantine policy for payment card information, perform the following steps:
Navigate to https://portal.cloudappsecurity.com.
Select Control and select Policies.
Select Create policy and select File policy.
In Policy template, select File containing PCI detected in the cloud (built-in DLP engine).
Select Apply template.
Enter a name and description in Policy name and Description.
In Create a filter for the files this policy will act on and the Apply to fields add any filters that you require.
If you want to automatically quarantine the files, in Governance actions, select Put in admin quarantine. If you are using OneDrive for Business or SharePoint, you will first need to select Configure a quarantine folder.
Select Create.