Who is this article for?
CrashPlan for Small Business, no.
Code42 for Enterprise, yes.
Link: Product plans and features.
This article applies to Cloud.
To help protect you from data loss, you can use Code42 Forensic File Search to monitor files moving to and from users' Microsoft OneDrive for Business.
When you add Microsoft OneDrive for Business as a data source for Code42 Forensic File Search, you are required to authorize Code42 using your administrator account in OneDrive for Business. Once authorized, Forensic File Search monitors your organization's OneDrive environment for information about when a user:
- Creates a file
- Shares a file
- Deletes a file
- Modifies a file
This article explains how to add OneDrive for Business as a data source for Forensic File Search, as well as why Code42 requires this level of access.
- To allow Code42 access to OneDrive, you must be a global administrator.
- Once authorized, Code42 Forensic File Search has access to metadata on users, files, and drives. Learn more about what Code42 monitors.
- You cannot edit the authenticating administrator information once you register the cloud service. If you need to change the authenticating administrator information, you must start over and add a new cloud service.
- You cannot deauthorize or remove OneDrive as a cloud service in Code42. However, you can remove authorization to Code42 through your OneDrive Administration panel if necessary.
- You must be licensed for Code42 Forensic File Search. If your license expires, the cloud service is deauthorized within 24 hours. If you need assistance with licensing, contact your Customer Success Manager (CSM). If you're not sure how to reach your CSM, email firstname.lastname@example.org and we will connect you.
- Microsoft OneDrive limits API requests made by third-party integrations such as Code42. Throttling these API requests allows Microsoft to better control their resources, but may slow down Code42 file metadata collection, especially after first configuring Forensic File Search access to OneDrive. Consider setting up Forensic File search access to OneDrive when you have decreased activity in your environment.
Code42 Forensic File Search temporarily streams files from your data source to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.
Code42 never stores file contents or writes them to disk during this process.
Before you begin
Configure Forensic File Search before adding Microsoft OneDrive for Business as a cloud service data source.
Add OneDrive for Business
- Sign in to the administration console.
- Select Investigation > Data Sources.
- Click Add Data Source.
- The Add Data Source dialog displays.
- From Data Source, select Microsoft OneDrive for Business under Cloud Services.
- Enter a display name. This name must be unique.
- Select one of the following options:
Monitors all OneDrive users in your environment.
- Specific Users
Monitors only the OneDrive users you designate.
- Specific Groups
Monitors only the users in the OneDrive groups you designate.
- Click Authorize.
The Microsoft OneDrive for Business sign in screen appears.
- Enter your OneDrive administrator credentials.
- Review the terms and agreements, and click Accept.
Microsoft OneDrive is added as a cloud service for Forensic File Search, and Code42 begins the initial extraction of information. For details, see Initial extraction below.
Now that you have added OneDrive as a data source for Forensic File Search, learn more about:
- Common use cases for investigating security incidents with Forensic File Search
- How to use Forensic File Search
- Adding trusted domains to easily identify when files are shared with users not on your list of approved domains.
Upload a .csv file
If you select Specific Users or Specific Groups and click Upload .CSV file, you must upload a .csv file that lists OneDrive users or groups you want to monitor.
General considerations for uploading a .csv file:
- The .csv file is limited to 1,000 entries.
- Uploading a new .csv replaces the existing list of people or groups being monitored.
Upload a .csv file listing OneDrive users
To export a list of all OneDrive users to a .csv file, see the Microsoft documentation. You can also use PowerShell or Active Directory to obtain a user list and place it in a .csv file. Create a .csv file from this list that contains only the users you want to monitor.
For users with email addresses, Code42 reads usernames from column headers labeled Email Address, Email, OwnerPrincipalName, or UserPrincipalName in the .csv file. For users without email addresses, Code42 reads usernames from column headers labeled DisplayName or Owner in the .csv file. If no valid username entries are found for a user in the .csv file, the upload produces an error.
Upload a .csv file listing OneDrive groups
To create a OneDrive group, see the Microsoft documentation. The OneDrive group list supports all Office 365 group types:
- Office 365 Group
- Security Group
- Mail-Enabled Security Group
- Distribution Groups
To monitor users in OneDrive groups, create a .csv file that contains only the groups you want to monitor. In this file, use column headers to identify either the name or the email addresses of those groups.
- Code42 reads the display name of groups from the column header labeled Display Name or Groups. In the .csv file, specify this name exactly as it appears in OneDrive or Azure Active Directory.
- Alternately, Code42 reads the email addresses of a group from the column header labeled Email or Email Address. In the .csv file, specify the email address associated with each group.
If the .csv file does not contain at least one of these column headers, the upload produces an error.
Code42 looks for users associated with OneDrive groups as follows:
- When a group's name or email address is provided, Code42 attempts to look up users associated with that group name or group email address.
- If neither the the group name nor the email address can be found in OneDrive, Code42 proceeds to the next entry in the .csv file. Code42 looks for that group or email address again every 24 hours.
As users are added and removed from the monitored groups, Code42 automatically detects changes and adjusts monitoring of users accordingly.
Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic File Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.
Groups that are nested in a monitored group are also monitored.
Once you complete authorization, Code42 begins the initial extraction of user activity data from your cloud service. During this process, Code42 discovers the drives and indexes all their files one drive at a time. The time to complete initial extraction on a drive is directly related to the number of files within the drive, not the size of the files.
As Code42 progresses through initial extraction, the Status column in the Data Sources panel shows the number of drives that have completed initial extraction compared to the number of drives remaining (for example, "Initializing 34 / 567").
As each drive completes initial extraction, Code42 begins monitoring file activity on the drive and sends events to Forensic File Search. To speed up initial extraction, file hashes are omitted. As a result, you see the message Hash Unavailable. File not modified since initial extraction in the MD5 Hash and SHA256 Hash fields displayed for these files in Forensic File Search. However, the files will be hashed when file events occur.
For most environments, initial extraction takes between 24 and 48 hours. Once initial extraction is complete for each drive, it takes about 20 minutes for a new event from that drive to appear in search results in Forensic File Search.
After initial extraction, Code42 processes new files in existing drives immediately, and looks for new drives every 24 hours.
Forensic File Search collects file events from OneDrive. A file event is any activity observed for a file. For example, creating, modifying, sharing, renaming, moving, or deleting a file generates an event for that file. To see this file activity, Code42 requires access to your OneDrive environment. The OneDrive permissions we request are:
This set of permissions means Code42 has read-only access to metadata for files, users, and drives within that cloud service data source. In other words, Code42 cannot make changes to your cloud service environment. In addition, Forensic File Search does not monitor the contents of those files, and does not back up files in the cloud service.
Maximum user drive number exceeded
Code42's maximum number of drives allowed for monitoring in OneDrive connections is 27,500. If Code42 detects more than this number of drives, it displays the following error in the Data Sources panel:
The number of supported user drives (27,500) for this connector has been exceeded. Deauthorize the connector and reauthorize with fewer than 27,500 drives.
If you receive this message:
- Deauthorize the cloud service connection.
- Reauthorize the cloud service connection.
You are prompted to set up the cloud service connection again.
- When you select users to monitor, select the Specific Users or Specific Groups option and ensure that the total number of drives included is below the 27,500 drive limit.
Data source is already registered or the email address is not valid
You can authorize a Microsoft 365 account in Code42 only once as a cloud service data source (to monitor file movement in OneDrive Drive locations) and once as an email service data source (to monitor file attachments sent outside your company).
When you attempt to register the same Microsoft 365 account for multiple cloud or email services, the following message appears: “This data source has already been registered or the email address is not valid for this domain.” This message appears when you attempt to register the same account:
- For more than one cloud or email service in the same Code42 environment.
- In a second Code42 environment after first registering that account in a different Code42 environment.
To resolve the issue:
- Verify the Code42 environment with which the Microsoft 365 account has been registered. To register the Microsoft 365 account with a different Code42 environment, first deauthorize it in the Code42 environment where it is currently registered.
- Verify that the account has been added only once as a cloud service or only once as an email service.
- Consider creating another Microsoft 365 account for the data you want to monitor using a new email address under a different domain. You can add multiple unique Microsoft 365 accounts as Code42 data sources as long as the accounts are not associated in any way.
Reconfigure scoping for user and group monitoring
If needed, you can reconfigure the cloud service's scoping to add new users or groups or switch from monitoring specific users to monitoring specific groups.
- Deauthorize the cloud service connection.
You do not need to remove the Code42 application from the cloud service. The app registration remains valid even if it is deauthorized.
- Resume monitoring the cloud service connection.
You are prompted to set up the cloud service connection again.
- In the Add Users step of the reauthorization process, select the appropriate monitoring option, and then upload a new .csv file containing the updated users or groups you want to monitor.