Skip to main content
Contact Support

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Allow Code42 access to Google Drive

  1. Last updated
  2. Save as PDF

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

To help protect you from data loss, you can use Code42 to monitor files moving to and from users' Google Drive.

When you add Google Drive as a data connection, you must authorize Code42 as a registered client API using your administrator account in Google Workspace (formerly G Suite). Once connected, we monitor your organization's Google Drive environment to capture when a user: 

  • Creates or uploads a file
  • Shares a link to a file
  • Shares a file directly with users inside or outside your organization
  • Deletes a file
  • Modifies a file's contents, name, or location

This article explains how to add Google Drive as a data connection. It also explains why Code42 needs this level of access to your Google environment. 

Video

Watch the video below for a demonstration of adding Google Drive as a cloud service data connection. For more videos, visit the Code42 University

Considerations

  • You must be licensed for the Google Drive cloud service. If your license expires, the cloud service is deauthorized within 24 hours. If you need assistance with licensing, contact your Customer Success Manager (CSM). If you're not sure how to reach your CSM, email csmsupport@code42.com and we will connect you.
  • To allow Code42 access to Google Drive, you must be a Google Workspace administrator with a Super Admin role. See Permissions your Google Workspace administrator needs below for more information.
  • Once authorized, Code42 has access to metadata on users, files, and drives. Learn more about what Code42 monitors
  • The maximum number of user drives that can be monitored in Code42 is 55,000. Shared Google Drives do not contribute to this limit. Code42 can monitor unlimited shared drives.
  • You cannot edit the authenticating administrator information once you register the cloud service. If you need to change that information, you must start over and add a new cloud service. 
  • File events do not immediately appear when sharing with Google domains that are not configured with Code42. 
  • You cannot deauthorize or remove Google Drive as a cloud service in Code42. Instead, you can remove the API client access in your Google Admin console if necessary.
  • Code42 monitors both Drive File Stream and Backup and Sync. If you're using Backup and Sync, see below for additional considerations.
  • Cloud service connections are not available in the Code42 federal environment.
  • If a user is suspended or the drive SDK is disabled in Google Drive, Code42 does not monitor file activity on the user's Google Drive account. 
Monitoring and alerting tools may report download activity
Code42 temporarily streams files from your cloud or email service to the Code42 cloud to calculate the file hash. This may be reported as users downloading files.

Code42 never stores file contents or writes them to disk during this process.

Before you begin

Enable File Metadata Collection before adding Google Drive as a cloud service data connection.

Steps

Step 1: Connect Code42 and Google Drive

  1. Sign in to the Code42 console
  2. Add a cloud service connection:
    1. Select Administration > Integrations > Data Connections
    2. Click Add Data Connection.
      The Add Data Connection dialog appears.
    3. From Data Connection, select Google Drive under Cloud Services.
      Note the Client ID and Scopes details that appear on the bottom of the screen. You will need this information later in this procedure.
    4. Enter a display name. This display name must be unique.
      Add a Google Drive connection
  3. Authorize the Code42 app in Google:
    1. Go to your Google Admin console and log in using your Google Workspace administrator email and password.
      Requires Super Admin role
      This email address must be associated with a Google Workspace administrator that has the Super Admin role.
    2. Go to Security > API controls. 
    3. Click Manage domain wide delegation in the Domain wide delegation panel.
    4. On the Domain-wide delegation page, click Add new next to API clients.
    5. In the Add a new client ID dialog box:
      • Copy the Client ID from the Code42 console and paste it in the Client ID field. 
      • Copy the Scopes from the Code42 console and paste it in the in the OAuth scopes (comma-delimited) field.
    6. Click Authorize
      The Code42 cloud service is added to the API clients table.

Step 2: Add Users

  1. Return to the Code42 console.
  2. In the Add Data Connection dialog, click Continue. 
    The Add Users panel displays.
    Add Google Drive users
  3. Select one of the following options:

Step 3: Verify the setup

  1. In the Add Data Connection dialog, click Continue.
    The Verify panel displays.
    Verify the Google Drive connection
  2. Enter the Google Workspace email address that you used earlier to log in to the Google Admin console.
    Requires Super Admin role
    This email address must be associated with a Google Workspace administrator that has the Super Admin role.
  3. Click Authorize
    Google Drive is added as a data connection, and Code42 begins the initial indexing of information. For details, see Initial indexing below.

Next steps

Once you have added Google Drive as a data connection, learn more about:

Upload a .csv file

In Step 2, if you select Specific Users or Specific Groups and click Upload .CSV file, you must upload a .csv file that lists Google Drive users or groups you want to monitor.

General considerations for uploading a .csv file:

  • The .csv file is limited to 1,000 entries.
  • Uploading a new .csv replaces the existing list of people or groups being monitored.
  • All shared drives are monitored.

Upload a .csv file listing Google Drive users

To get a list of Google Drive users, see Google Workspace Admin Help. Create a .csv file from this list that contains only the users you want to monitor. Code42 reads usernames from column headers labeled Email Address [Required]Email Address, or Emails in the .csv file. If these columns contain any entries that aren't email addresses, the upload produces an error.

Upload a .csv file listing Google Drive groups

To create a Google Drive group, see the Google Workspace Learning Center. After your Google Drive groups are set up, create a .csv file that contains only the groups you want to monitor. In this file, use column headers to identify either the name or the email addresses of those groups.

  • Code42 reads the names of groups from the column header labeled Group Name or Groups. Specify the names of the groups exactly as they appear in the Google Admin console.
  • Code42 reads a list of email addresses associated with a group from the column header labeled Email or Email Address. In the .csv file, specify the email address associated with each group.

If the .csv file does not contain at least one of these column headers, the upload produces an error.

Code42 looks for users associated with Google Drive groups as follows:

  • When a group's name or email address is provided, Code42 attempts to look up users associated with that group name or group email address.
  • If the group includes another group name or email address (a "nested" group), Code42 looks up users associated with that nested group as well.
  • If the group name or email address cannot be found, Code42 proceeds to the next entry in the .csv file. Code42 looks for that group or email address again every 24 hours.

As users are added and removed from the monitored groups, Code42 detects these changes within 24 hours and adjusts monitoring of user drives accordingly.

Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.

Initial indexing

Once you complete authorization, Code42 begins the initial indexing of user activity data from your cloud service. During this process, Code42 discovers each drive and indexes all of its files. The time to complete the initial indexing of a drive is directly related to the number of files within the drive, not the size of the files. 

As Code42 progresses through initial indexing, information about the drives that Code42 has processed appears under Status on the Google Drive's details panel. This panel lists the total number of drives that Code42 has discovered in your environment, the number of drives that are being indexed, and the number of drives that have completed the initial indexing process and are currently being monitored. A second section repeats these details for shared or team drives.

As each drive completes the initial indexing process, Code42 begins monitoring file activity on the drive. To speed up the process, file hashes are omitted. As a result, you see the message Hash Unavailable. File not modified since initial extraction in the SHA256 Hash field displayed for these files in Forensic Search. However, the files will be hashed when new file activity occurs.

How long does initial indexing take?

The length of time it takes for initial indexing to complete is dependent on the size of your environment.

  • For environments that contain hundreds of drives, initial indexing may take between 24 and 72 hours depending on the number of files in each user's drive.
  • For environments that contain thousands of drives, initial indexing completes over a longer period. Typically, drives in larger environments complete the indexing process over these time frames:
    • 60% of total drives complete between 24 and 72 hours
    • 25% of total drives complete between 3 and 5 days
    • 15% of total drives complete between 6 and 10 days

Once the indexing process is complete for each drive, it can take about 20 minutes for a new event from that drive to appear in search results in Forensic Search or to trigger any alert rules that you have set up. New file events from that drive may take up to an hour to appear on the Risk Exposure dashboard or in the User Profile.

After initial indexing, Code42 processes new files in existing drives immediately, and looks for new drives every 24 hours.

Required permissions

Permissions your Google Workspace administrator needs

Code42 uses API client access to connect to and monitor file activity in your Google environment. In order to grant third-party services or applications domain-wide delegation or manage API client access in the Google Admin console, you must be a Google Workspace administrator that has the Super Admin role. Code42 cannot collect security data from your Google environment when the connection is authorized by a Google Workspace administrator without this role.

For more information, see Data connection is not sending security data below.

Permissions the Code42 service account needs

As a service account, Code42 uses delegated domain-wide authority to collect file events from Google Drive. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Google Drive environment.

In the configuration steps above, Code42 provides the following scopes for you to enter in your Google Admin console:

Copied!
https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.customer.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly

This set of permissions means Code42 has read-only access to metadata for files, users, and drives within that cloud service. In other words, Code42 cannot make changes to your cloud service environment. In addition, Code42 does not monitor the contents of those files, and does not back up files in the cloud service.

Configuring these scopes in the Google Admin console gives the Code42 API client delegated domain-wide authority to your Google Drive environment, and follows Google's recommendation for allowing service accounts to read content from user drives. Because of this authority, audit logs of your Google Workspace environment may show the Code42 Cloud Service impersonating the owner of each user drive in order to read its contents.

More information on file activity 
For more information on the specific metadata and file events visible in Forensic Search, see the Forensic Search reference guide.

Troubleshooting

Data connection is not sending security data

In order to share file activity data with Code42, the email address used to authorize a Google Drive connection must be associated with a Google Workspace administrator who has the Super Admin role. If your Google Workspace administrator has a different role, the following message appears upon authorization of your Google Drive connection: "Data connection is not sending security data."

To resolve this permissions issue:

  • Make sure that your Google Workspace administrator has the Super Admin role. If needed, update permissions in the Google Admin console.
  • Deauthorize the Google Drive cloud service, then resume monitoring again using the email address of the administrator with the Super Admin role.

File events for Google Backup and Sync appear twice

Google Drive has two options for syncing files: Backup and Sync and Drive File Stream.

If your organization uses Backup and Sync, file events may show up twice in Forensic Search results. This happens because Backup and Sync saves content locally on your computer as well as in the cloud. As a result, when you monitor endpoints, Code42 monitors the Google Drive folder on a user's computer. When Google Drive is configured as a cloud service, Code42 monitors the files within Google Drive.

This means that when a user changes a file in one place, Google syncs those changes to the other location. This causes the file event to appears twice in Forensic Search results: once for the endpoint and once for the cloud service.

If your organization only uses Drive File Stream, this issue does not occur. Drive File Stream doesn't save files locally, so file events only appear from the cloud service.

Slowed performance

Google uses API quotas to limit API requests from third-party integrations such as Code42. Throttling these API requests allows Google to better control their resources, but may slow down Code42 file metadata collection, especially after first enabling Code42 access to Gmail.

For faster performance, perform the following in the Google Admin console:

  • Increase the quotas for the Code42 integration.
  • Add additional Super Admin users, which will enable Code42 to process data more quickly.

Maximum user drive number exceeded

Code42's maximum number of drives allowed for monitoring in cloud service connections is 55,000. If Code42 detects more than this number of drives, the following error appears on the Data Connections screen:

The number of supported user drives (55,000) for this connector has been exceeded. Deauthorize the connector and reauthorize with fewer than 55,000 drives.

If you receive this message:

  1. Deauthorize the cloud service connection.
  2. Resume monitoring the cloud service connection.
    You are prompted to set up the cloud service connection again.
  3. In the Add Users step of the reauthorization process, select the Specific Users or Specific Groups option and ensure that the total number of drives included is below the 55,000 drive limit.

Email domain already exists

You can authorize a Google Workspace account as a data connection for your Code42 environment only once as a cloud service (to monitor file movement in Google Drive locations) and once as an email service (to monitor file attachments sent outside your company).

When you attempt to register the same Google Workspace account for multiple cloud or email services, the following message appears: “A data connection with that email domain already exists.”

To resolve the issue:

  • Verify that the account has been added only once as a cloud service or only once as an email service.
  • Consider creating another Google Workspace account for the data you want to monitor using a new email address under a different domain. You can add multiple unique Google Workspace accounts as Code42 data connections as long as the accounts are not associated in any way.

Data connection is already registered or the email address is not valid

You can only authorize a unique Google Workspace account for one Code42 environment at a time. If you attempt to register the same Google Workspace account in multiple Code42 environments, the following message appears: “This data connection has already been registered or the email address is not valid for this domain.” For example, you register a Google Drive cloud service in one Code42 environment, then register a Gmail email service in another Code42 environment. Both belong to the same Google Workspace account.

To resolve the issue:

  • Verify the Code42 environment with which the Google Workspace account has been registered. If you need to register the Google Workspace account with a different Code42 environment, first deauthorize it from the Code42 environment it is currently registered with, then wait for 90 days for the data for that data connection to be purged automatically. To purge the data for that data connection more quickly, contact your Customer Success Manager (CSM).
  • Consider creating another Google Workspace account for the data you want to monitor in another Code42 environment using a new email address under a different domain.

Reconfigure scoping for user and group monitoring

If needed, you can reconfigure the cloud service's scoping to add new users or groups or switch from monitoring specific users to monitoring specific groups.

  1. Deauthorize the cloud service connection.
    You do not need to remove the Code42 application from the cloud service. The app registration remains valid even if it is deauthorized.
  2. Resume monitoring the cloud service connection.
    You are prompted to set up the cloud service connection again.
  3. In the Add Users step of the reauthorization process, select the appropriate monitoring option, and then upload a new .csv file containing the updated users or groups you want to monitor.

Usernames are missing from "Shared with users" lists

Code42 automatically filters the list of users a file is shared with in Google Drive to exclude any username that is not an email address. Such usernames are typically associated with service or integration accounts with sharing permissions in your Google environment instead of end users, and generally aren't useful for investigating file events.

While these usernames may appear in Google Drive, Code42 only displays user names that are email addresses in "Shared with users" lists in Forensic Search or alert notifications.

Related topics

  1. Back to top
  • Was this article helpful?

Recommended articles

  1. There are no recommended articles.
  1. Article type
    How-to
    Available in CrashPlan for Enterprise
    No
    Available in Code42 for Enterprise
    Yes
    Available in Incydr
    Yes
    Available in Code42 CrashPlan Premium
    No
    Available in Code42 CrashPlan Standard
    No
    Available in CrashPlan for Small Business
    No
    Stage
    Final
  2. Tags
    1. cloud service
    2. FFS
    3. forensic file search
    4. Forensic search