Skip to main content

This article applies to Cloud.

Available in:

StandardPremiumEnterprise
Small Business
Code42 Support

Allow Code42 Forensic File Search access to OneDrive

This article applies to Cloud.

Available in:

StandardPremiumEnterprise
Small Business

Overview

When you add Microsoft OneDrive for Business as a data source for Code42 Forensic File Search, you are required to authorize Code42 using your administrator account in OneDrive for Business. Once authorized, Forensic File Search monitors your organization's OneDrive environment for information about when a user: 

  • Creates a file
  • Shares a file
  • Deletes a file
  • Modifies a file

This article explains how to add OneDrive for Business as a data source for Forensic File Search, as well as why Code42 requires this level of access. 

Considerations

  • To allow Code42 access to OneDrive, you must be a global administrator.
  • You cannot edit the authenticating administrator information once you register the cloud service. If you need to change the authenticating administrator information, you must start over and add a new cloud service.
  • You cannot deauthorize or remove OneDrive as a cloud service in Code42. However, you can remove authorization to Code42 through your OneDrive Administration panel if necessary. 
  • Your Code42 product plan must include Code42 Forensic File Search. Contact your Customer Success Manager (CSM) for enterprise support at csmsupport@code42.com for assistance with product plans.
Monitoring and alerting tools may report download activity
Code42 Forensic File Search temporarily streams files from your cloud service to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.

Code42 never stores file contents or writes them to disk during this process.

Before you begin

  • Configure Forensic File Search before adding Microsoft OneDrive for Business as a cloud service data source.
  • Define monitoring scope: The OneDrive administrator credentials you use to connect Forensic File Search with Google Drive determine the scope of files accessible for monitoring by Forensic File Search. Code42 has permission to see all users that the administrator has control over. If you require a smaller scope of users, you must use an administrator that has a limited scope of users, or configure your Google Drive settings to set file-sharing permissions for organizations

Add OneDrive for Business 

  1. Sign in to the administration console. 
  2. Select Security Center > Data Sources
    Data sources
  3. Click Add Cloud Service Connection
  4. Under Cloud Source, select Microsoft OneDrive for Business. 
  5. Enter a display name. This name must be unique.
  6. Click Authorize
    The Microsoft OneDrive for Business sign in screen appears.
  7. Enter your OneDrive administrator credentials. 
  8. Review the terms and agreements, and click Accept. 
    Microsoft OneDrive for Business is now a cloud service for Forensic File Search.
When will I start seeing file events in Forensic File Search?
The first step to adding cloud service information into Forensic File Search is called initial extraction. This is where Code42 scans the cloud service to get baseline information on your environment. How long this step takes depends on how many files are in your cloud service environment.

For most environments, this step takes about 24 hours. Once the initial extraction is complete, it takes about 20 minutes for a new event to appear in search results.

Next Steps

Now that you have added OneDrive as a data source for Forensic File Search, learn more about:

OneDrive permissions 

Forensic File Search collects file events from OneDrive. A file event is any activity observed for a file. For example, creating, modifying, sharing, renaming, moving, or deleting a file generates an event for that file. To see this file activity, Code42 requires access to your OneDrive environment. The OneDrive permissions we request are: 

  • Directory.Read.All
  • Files.Read.All

This set of permissions means Code42 has read-only access to metadata for files, users, and drives within your cloud service environment. In other words, Code42 cannot make changes to your cloud service environment. In addition, Forensic File Search does not monitor the contents of those files, and does not back up files in the cloud service.

More information on file activity 
For more information on the specific metadata and file events collected and stored by Forensic File Search, see the Forensic File Search reference guide
  • Was this article helpful?