Monitoring Dropbox

Good day,

I am currently working to set up a monitor of the use of Dropbox, a platform we do not use in our company but we do wish to keep an eye on in the spirit of DLP. However, I am having difficulty setting up a good monitoring for it.

Situation:

-We use DLP 15.0
-We only use Endpoint Agents (no cloud//network/web detection or integration)
-Our machines generally run Windows 10.

There are two ways to upload files to Dropbox:
-Through the website, which uses some sort of uploader integrated in the site.
-Through the Dropbox client software, which synchronizes a folder from the pc to Dropbox.

Setting up rules for this platform I quickly noticed that it does not detect file transfers. A lot of events can be generated when browsing to Dropbox or using the client, but none of these events have file attachments when you look at the events in the DLP Enforce server when I configure the rules.

What I am looking for is a solution where I can at least know the files sent to Dropbox, through either means (website or client).

This is my policy so far:

(Note: Dropbox.exe is part of the monitored applications in DLP).

Detection Rules

Conditions

-Protocol or Endpoint Monitoring: Endpoint Protocols: HTTP, HTTPS/SSL, FTP, Cloud Storage, Application File Access.

AND Recipient Pattern, URL Domain: Dropbox.com,dropboxapi.com,dropboxbusiness.com,dropboxcaptcha.com,dropboxforums.com,dropboxforum.com,dropboxinsiders.com,dropboxmail.com,dropboxpartners.com,dropboxstatic.com,dropbox.zendesk.com,getdropbox.com,instructorledlearning.dropboxbusiness.com,paper.dropbox.com,dropboxusercontent.com

AND Message Attachment or File Type Match: All file types selected.

My thought is the HTTPS should pick up the dropbox web side, while the Application File Access should pick up the client. If I disable the 'Message Attachment or File type Match' I do get a good number of events, even some mentioning the test file names, but none have the file attachments. If I enable the 'Message attachment or file type match' I get 0 events.

I've seen some other threads in these forums, but unfortunately none offer a working solution so far.