Skip to main content

Who is this article for?

Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Code42 Support

Allow Code42 access to Box


To help protect you from data loss, you can use Code42 to monitor files moving to and from users' Box. 

When you add Box as a data source, you must authorize Code42 as a custom application. Once connected, we monitor your organization's Box environment to capture when a user: 

  • Creates a file
  • Shares a file
  • Deletes a file
  • Modifies a file

This article explains how to add Box as a data source. It also explains why Code42 needs this level of access to your Box environment. 


  • You must be licensed for the Box cloud service. If your license expires, the cloud service is deauthorized within 24 hours. If you need assistance with licensing, contact your Customer Success Manager (CSM). If you're not sure how to reach your CSM, email and we will connect you.
  • To connect Code42 to Box, you must be a Box Admin as well as a Code42 Customer Cloud Admin.
  • Once authorized, Code42 has access to metadata on users, files, and drives.
  • The maximum number of user drives that can be monitored in Code42 is 55,000.
  • If you need to change your Box account information, temporarily deauthorize your Box account, then reauthorize with the new account information
  • Data sources are not available in the Code42 federal environment.
  • Box allows you to add or remove individuals as collaborators on a file. However, for files that reside at the root of the drive and are not in a folder, these collaboration changes are not recorded until a file event occurs (for example, at file creation, modification, renaming, moving, or sharing with a link). 
  • Box limits API requests made by third-party integrations such as Code42. Throttling these API requests allows Box to better control their resources, but may slow down Code42 file metadata collection, especially after first configuring access to Box. Consider setting up Code42 access to Box when you have decreased activity in your environment.
  • If a user's status is set to inactive in Box, Code42 does not monitor file activity on the user's Box account. 
Monitoring and alerting tools may report download activity
Code42 temporarily streams files from your data source to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.

Code42 never stores file contents or writes them to disk during this process.

Before you begin

Enable File Metadata Collection before adding Box as a cloud service data source.


Step 1: Connect Code42 and Box

  1. Sign in to the Code42 console
  2. Add a cloud service connection:
    1. Select Investigation > Data Sources
      Data sources.
    2. Click Add Data Source.
      The Add Data Source dialog displays.
    3. From Data Source, select Box under Cloud Services.
    4. Enter a display name. This display name must be unique.
    5. Copy the Client ID. You will enter this in your Box Admin Console. 
      Add a Box connection
  3. Authorize the Code42 app in Box: 
    1. Go to your Box Admin Console and log in using your Box Admin email and password.
    2. Click Apps.
    3. Click the Custom Apps tab.
    4. Click Authorize New App.
      The App Authorization screen displays.
    5. Paste in the Client ID from the Code42 console. 
    6. Click Next. 
    7. Review the permissions granted. For more information, see Box permissions below.
    8. Click Authorize
      Code42 Cloud Services appears in the table of custom applications. 
      Box admin console
    9. (Optional) If Disable published third party apps by default is selected in Global App Settings in your Box Admin Console, hover your mouse over the Code42 Cloud Services app, click the ellipses button, and select Authorize App to allow Code42 access to your Box environment.
      You can choose to disable third-party published applications to secure your Box environment. If you do so, you need to explicitly select and authorize the Code42 cloud service's access.

Step 2: Add Users

  1. Return to the Code42 console.
  2. In the Add Data source dialog, click Continue. 
    The Add Users panel displays.
    Add Box users
  3. Select one of the following options:

Step 3: Verify the setup

  1. After uploading the .csv file, click Continue In the Add Data Source dialog.
    The Verify panel displays.
    Verify the Box connection
  2. Locate your Box Enterprise ID:
    1. Return to the Box Admin Console and select Account & Billing. 
    2. Copy the Enterprise ID.
      Enterprise ID
  3. Return to the Code42 console and enter your Box Enterprise ID and Box Admin email address:
    1. Paste the Box Enterprise ID into Box Enterprise ID.
    2. Enter the email address you use to log into the Box Admin Console into Box Admin Email Address.
  4. Click Authorize.
    Box is added as a data source, and Code42 begins the initial indexing of information. For details, see Initial indexing below. 

Next steps

Once you have added Box as a data source, learn more about:

Upload a .csv file

In Step 2, if you select Specific Users or Specific Groups and click Upload .CSV file, you must upload a .csv file that lists Box users or groups you want to monitor.

General considerations for uploading a .csv file:

  • The .csv file is limited to 1,000 entries.
  • Uploading a new .csv replaces the existing list of people or groups being monitored.
  • The maximum number of drives allowed for monitoring in Box connections is 55,000. 

Upload a .csv file listing Box users

See the Box documentation to export a list of all Box users to an Excel file. Convert the Excel file to .csv format, and create a .csv file from this list that contains only the users you want to monitor.

Code42 reads usernames from the column headers labeled Email or Email Address in the .csv file. If these columns contain any entries that aren't email addresses, the upload produces an error.

Upload a .csv file listing Box groups

To create a Box group, see the Box documentation. After your Box groups are set up, create a .csv file that contains only the groups you want to monitor. In this .csv file:

  • Use a column header labeled either Group Name or Groups. Code42 reads the names of groups from rows under this column header. If neither of these column headers are specified, the upload produces an error.
  • Under that column header, specify the names of the groups to monitor exactly as they appear in the Box Admin Console.

When a group name is provided, Code42 attempts to look up users with the specified group name from the .csv file. If the group name cannot be found, Code42 proceeds to the next group. Code42 looks for that group again every 24 hours.

As users are added and removed from the monitored groups, Code42 automatically detects changes and adjusts monitoring of users accordingly.

Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.

Initial indexing

Once you complete authorization, Code42 starts monitoring your Box environment for file activity right away. At the same time, Code42 begins indexing drives in your Box environment. During this process, Code42 discovers all in-scope drive and indexes all their files. If a file is not yet indexed and file activity occurs, the file is immediately indexed and subsequent file activity is sent to Code42. The time to complete the initial indexing of a drive is directly related to the number of files within the drive, not the size of the files. 

As Code42 progresses through initial indexing, information about the drives that have been processed is listed under Status on the Box data source details panel. This status lists the total number of drives in your environment that are being monitored for ongoing activity. It also shows how many of those drives are still being indexed compared to the number that have completed the initial indexing process.

To speed up this process, file hashes are omitted. As a result, you see the message Hash Unavailable. File not modified since initial extraction in the MD5 Hash and SHA256 Hash fields displayed for these files in Forensic Search. However, the files will be hashed when new file activity occurs.

For most environments, initial indexing takes between 24 and 48 hours. It takes about 20 minutes for file events in your Box environment to appear in search results in Forensic Search or to trigger any alert rules that you have set up. New file events may take up to an hour to appear on the Risk Exposure dashboard or in the User Profile.

Code42 discovers new drives and files typically within a few minutes after they are created.

Box permissions

Code42 collects file events from Box. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Box environment. The Box scopes we request are: 

  • Read all files and folders stored in Box (root_readonly)
  • Read and write all files and folders stored in Box (root_readwrite)
  • Manage groups (manage_groups)
  • Manage webhooks v2 (manage_webhook)
  • Manage enterprise properties (manage_enterprise_properties)
  • Manage users (manage_app_users and manage_managed_users)

In addition, integrations are enabled.

This set of permissions gives Code42 the access to users, metadata for files, and drives needed to monitor file activity. Although the permissions include manage and write permissions, these are required for the integration with Box. Code42 is committed to data integrity and does not write to or modify content in your Box environment. We do not monitor the contents of those files, and do not back up files in the cloud service.

More information on file activity 
For more information on the specific metadata and file events visible in Forensic Search, see the Forensic Search reference guide.


Maximum user drive number exceeded

Code42's maximum number of drives allowed for monitoring in cloud service connections is 55,000. If Code42 detects more than this number of drives, the following error appears in the Data Sources panel:

The number of supported user drives (55,000) for this connector has been exceeded. Deauthorize the connector and reauthorize with fewer than 55,000 drives.

If you receive this message:

  1. Deauthorize the cloud service connection.
  2. Resume monitoring the cloud service connection.
    You are prompted to set up the cloud service connection again.
  3. In the Add Users step of the reauthorization process, select the Specific Users or Specific Groups option and ensure that the total number of drives included is below the 55,000 drive limit.

Reconfigure scoping for user and group monitoring

If needed, you can reconfigure the cloud service's scoping to add new users or groups or switch from monitoring specific users to monitoring specific groups.

  1. Deauthorize the cloud service connection.
    You do not need to remove the Code42 application from the cloud service. The app registration remains valid even if it is deauthorized.
  2. Resume monitoring the cloud service connection.
    You are prompted to set up the cloud service connection again.
  3. In the Add Users step of the reauthorization process, select the appropriate monitoring option, and then upload a new .csv file containing the updated users or groups you want to monitor.
  • Was this article helpful?