Allow Code42 access to Google Drive
Who is this article for?
Incydr, yes.
CrashPlan for Enterprise, no.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Overview
To help protect you from data loss, you can use Code42 to monitor files moving to and from users' Google Drive.
When you add Google Drive as a data connection, you must authorize Code42 as a registered client API using your administrator account in Google Workspace (formerly G Suite). Once connected, we monitor your organization's Google Drive environment to capture when a user:
This article explains how to add Google Drive as a data connection. It also explains why Code42 needs this level of access to your Google environment.
Video
Watch the video below for a demonstration of adding Google Drive as a cloud service data connection. For more videos, visit the Code42 University.
Considerations
The following considerations apply to Google Drive. See also the considerations applicable to all cloud services.
- Code42 can connect to your Google Drive environment only when supported by your Google product plan.
- To allow Code42 access to Google Drive, you must be a Google Workspace administrator with a Super Admin role. See Permissions your Google Workspace administrator needs below for more information.
- Sharing permissions that files inherit from a parent folder are detected as new events for those files. In Forensic Search, the actor for these events identifies the user who applied those sharing permissions to the parent folder.
- File events do not immediately appear when sharing with Google domains that are not configured with Code42.
- Code42 monitors both Drive File Stream and Backup and Sync. If you're using Backup and Sync, see below for additional troubleshooting considerations.
- If a user is suspended or the drive SDK is disabled in Google Drive, Code42 does not monitor file activity on the user's Google Drive account.
Before you begin
Enable File Metadata Collection before adding Google Drive as a cloud service data connection.
Steps
Step 1: Connect Code42 and Google Drive
- Sign in to the Code42 console.
- Add a cloud service connection:
- Select Administration > Integrations > Data Connections.
- Click Add Data Connection.
The Add Data Connection dialog appears. - From Data Connection, select Google Drive under Cloud Services.
Note the Client ID and Scopes details that appear on the bottom of the screen. You will need this information later in this procedure. - Enter a display name. This display name must be unique.
- Authorize the Code42 app in Google:
- Go to your Google Admin console and log in using your Google Workspace administrator email and password.
- Go to Security > API controls.
- Click Manage domain wide delegation in the Domain wide delegation panel.
- On the Domain-wide delegation page, click Add new next to API clients.
- In the Add a new client ID dialog box:
- Copy the Client ID from the Code42 console and paste it in the Client ID field.
- Copy the Scopes from the Code42 console and paste it in the in the OAuth scopes (comma-delimited) field.
- Click Authorize.
The Code42 cloud service is added to the API clients table.
Step 2: Add Users
- Return to the Code42 console.
- In the Add Data Connection dialog, click Continue.
The Add Users panel displays.
- Select one of the following options:
- All
Monitors all Google Drive users in your environment. - Specific Users
Monitors only the Google Drive users you designate.- Click Upload .CSV File.
- Select a .csv file containing a list of only those Google Drive users you want to monitor.
For details, see Upload a .csv file listing Google Drive users below.
- Specific Groups
Monitors only the users in Google Drive groups you designate.- Click Upload .CSV File.
- Select a .csv file containing a list of Google Drive groups whose users you want to monitor.
For details, see Upload a .csv file listing Google Drive groups below.
- All
Step 3: Verify the setup
- In the Add Data Connection dialog, click Continue.
The Verify panel displays.
- Enter the Google Workspace email address that you used earlier to log in to the Google Admin console.
- Click Authorize.
Google Drive is added as a data connection, and Code42 begins the initial indexing process.
Next steps
Once you have added Google Drive as a data connection, learn more about:
- Use cases
- How to search
- Adding trusted domains to easily identify when files are shared with users not on your list of approved domains.
Upload a .csv file
In Step 2, if you select Specific Users or Specific Groups and click Upload .CSV file, you must upload a .csv file that lists Google Drive users or groups you want to monitor.
General considerations for uploading a .csv file:
- The .csv file is limited to 1,000 entries.
- Uploading a new .csv replaces the existing list of people or groups being monitored.
- All shared drives are monitored.
Upload a .csv file listing Google Drive users
To get a list of Google Drive users, see Google Workspace Admin Help. Create a .csv file from this list that contains only the users you want to monitor. Code42 reads usernames from column headers labeled Email Address [Required], Email Address, or Emails in the .csv file. If these columns contain any entries that aren't email addresses, the upload produces an error.
Upload a .csv file listing Google Drive groups
To create a Google Drive group, see the Google Workspace Learning Center. After your Google Drive groups are set up, create a .csv file that contains only the groups you want to monitor. In this file, use column headers to identify either the name or the email addresses of those groups.
- Code42 reads the names of groups from the column header labeled Group Name or Groups. Specify the names of the groups exactly as they appear in the Google Admin console.
- Code42 reads a list of email addresses associated with a group from the column header labeled Email or Email Address. In the .csv file, specify the email address associated with each group.
If the .csv file does not contain at least one of these column headers, the upload produces an error.
Code42 looks for users associated with Google Drive groups as follows:
- When a group's name or email address is provided, Code42 attempts to look up users associated with that group name or group email address.
- If the group includes another group name or email address (a "nested" group), Code42 looks up users associated with that nested group as well.
- If the group name or email address cannot be found, Code42 proceeds to the next entry in the .csv file. Code42 looks for that group or email address again every 24 hours.
As users are added and removed from the monitored groups, Code42 detects these changes within 24 hours and adjusts monitoring of user drives accordingly.
Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.
Required permissions
Permissions your Google Workspace administrator needs
For more information, see Data connection is not sending security data below.
Permissions the Code42 service account needs
As a service account, Code42 uses delegated domain-wide authority to collect file events from Google Drive. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Google Drive environment.
In the configuration steps above, Code42 provides the following scopes for you to enter in your Google Admin console:
https://www.googleapis.com/auth/drive.readonly https://www.googleapis.com/auth/admin.directory.user.readonly https://www.googleapis.com/auth/admin.directory.group.readonly https://www.googleapis.com/auth/admin.directory.customer.readonly https://www.googleapis.com/auth/admin.reports.audit.readonly https://www.googleapis.com/auth/admin.reports.usage.readonly
Configuring these scopes in the Google Admin console gives the Code42 API client delegated domain-wide authority to your Google Drive environment, and follows Google's recommendation for allowing service accounts to read content from user drives. Because of this authority, audit logs of your Google Workspace environment may show the Code42 Cloud Service impersonating the owner of each user drive in order to read its contents.
Troubleshooting
Data connection is not sending security data
File events for Google Backup and Sync appear twice
Google Drive has two options for syncing files: Backup and Sync and Drive File Stream.
If your organization uses Backup and Sync, file events may show up twice in Forensic Search results. This happens because Backup and Sync saves content locally on your computer as well as in the cloud. As a result, when you monitor endpoints, Code42 monitors the Google Drive folder on a user's computer. When Google Drive is configured as a cloud service, Code42 monitors the files within Google Drive.
This means that when a user changes a file in one place, Google syncs those changes to the other location. This causes the file event to appears twice in Forensic Search results: once for the endpoint and once for the cloud service.
If your organization only uses Drive File Stream, this issue does not occur. Drive File Stream doesn't save files locally, so file events only appear from the cloud service.
Slowed performance
Maximum user drive number exceeded
Email domain already exists
Data connection is already registered or the email address is not valid
Reconfigure scoping for user and group monitoring
Usernames are missing from "Shared with users" lists
Code42 automatically filters the list of users a file is shared with in Google Drive to exclude any username that is not an email address. Such usernames are typically associated with service or integration accounts with sharing permissions in your Google environment instead of end users, and generally aren't useful for investigating file events.
While these usernames may appear in Google Drive, Code42 only displays user names that are email addresses in "Shared with users" lists in Forensic Search or alert notifications.