Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Deauthorize and resume monitoring a data source

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

To help protect you from data loss, you can use Code42 to monitor files moving to and from users' cloud services, such as Google Drive or Microsoft OneDrive, or emailed as attachments through Gmail or Office 365. 

This article explains how to deauthorize those data sources so that Code42 no longer has access to user data in those cloud or email services. You can also resume monitoring those data sources to resolve errors, reconfigure cloud service scoping, or restart the collection of file activity from data sources after a pause.

Considerations

  • You cannot deauthorize a cloud service (Google Drive, OneDrive, or Box, for example) or email service (such as Gmail or Office 365) while the status is Initializing. Wait for the data source to indicate that it has a status of Monitoring or Error before attempting to deauthorize.
  • If needed, you can use this process to reconfigure scoping for monitoring a cloud service's user or groups.
  • G Suite administrators must have the Super Admin role in order to share file activity data with Code42 without errors. See  Resolve "Data source is not sending security data" errors for more information.
  • Data sources are not available in the Code42 federal environment.

Deauthorize a data source

Deauthorize a data source to stop monitoring for new event activity. Once deauthorized, you have 90 days to resume monitoring the data source. After 90 days, Code42 removes the data source's configuration and authorization information (the events you have collected remain searchable in Forensic Search). 

  1. Sign in to the Code42 console.
  2. Select Investigation > Data Sources
  3. Locate the data source to deauthorize in the table, then click View details View details.
  4. Click Deauthorize. 
  5. When prompted, enter DEAUTHORIZE. 
  6. Click Deauthorize.
    At this point, Code42 stops collecting new file activity from the data source.
  7. If you do not plan to resume monitoring the cloud service, remove Code42's access in the external console as well. 

Remove Code42's access in Box

Remove Code42's access in Google Drive or Gmail

Remove Code42's access in Microsoft OneDrive or Office 365 email

Resume monitoring a data source

You can resume monitoring a data source for up to 90 days after you deauthorized the initial connection. Code42 removes data sources that have been deactivated for over 90 days. 

  1. Sign in to the Code42 console.
  2. Select Investigation > Data Sources
  3. Locate the data source to resume monitoring in the table, then click View details View details.
  4. Click Resume Monitoring.
    You can resume monitoring only data sources with a status of Deauthorized.
  5. Follow the prompts to authorize Code42 to monitor file events on that data source.
    If you are resuming monitoring of a Google Drive or Gmail environment, you can change the administrator's email address if needed. When doing so, you can change the username in the email address, but the domain used (such as "@example.com") must remain the same. This new email address must be associated with a G Suite administrator that has the Super Admin role.

Use cases

You can deauthorize and then resume monitoring a data source to update the scoping used by a cloud service or resolve errors. In most cases, errors caused by permissions or licensing issues within the data source can be resolved by deauthorizing the connection and then immediately resuming its monitoring.

Some use cases for using the deauthorization and resume monitoring processes for a data source are detailed below.

Reconfigure cloud service scoping for user or group monitoring

If needed, you can reconfigure the cloud service's scoping to add new users or groups or switch from monitoring specific users to monitoring specific groups.

  1. Deauthorize the cloud service connection.
    You do not need to remove the Code42 application from the cloud service. The app registration remains valid even if it is deauthorized.
  2. Resume monitoring the cloud service connection.
    You are prompted to set up the cloud service connection again.
  3. In the Add Users step of the reauthorization process, select the appropriate monitoring option, and then upload a new .csv file containing the updated users or groups you want to monitor.

Resolve "Data source is not sending security data" errors

In order to share file activity data with Code42, the email address used to authorize a Google Drive connection must be associated with a G Suite administrator who has the Super Admin role. If your G Suite administrator has a different role, the following message appears upon authorization of your Google Drive connection: "Data source is not sending security data."

To resolve this permissions issue:

  • Make sure that your G Suite administrator has the Super Admin role. If needed, update permissions in G Suite.
  • Deauthorize the Google Drive data source, then resume monitoring again using the email address of the administrator with the Super Admin role.

Resolve "Number of user drives exceeded" errors

Code42's maximum number of drives allowed for monitoring in cloud service connections is 55,000. If Code42 detects more than this number of drives, the following error appears in the Data Sources panel:

The number of supported user drives (55,000) for this connector has been exceeded. Deauthorize the connector and reauthorize with fewer than 55,000 drives.

If you receive this message:

  1. Deauthorize the cloud service connection.
  2. Reauthorize the cloud service connection.
    You are prompted to set up the cloud service connection again.
  3. In the Add Users step of the reauthorization process, select the Specific Users or Specific Groups option and ensure that the total number of drives included is below the 55,000 drive limit.