Allow Code42 access to Google Drive

Overview

To help protect you from data loss, you can use Code42 to monitor files moving to and from users' Google Drive.

When you add Google Drive as a data connection, you must authorize Code42 as a registered client API using your administrator account in Google Workspace (formerly G Suite). Once connected, we monitor your organization's Google Drive environment to capture when a user:

This article explains how to add Google Drive as a data connection. It also explains why Code42 needs this level of access to your Google environment.

Considerations

The following considerations apply to Google Drive. See also the considerations applicable to all cloud storage environments.

Code42 can connect to your Google Drive environment only when supported by your Google product plan.
To allow Code42 access to Google Drive, you must be a Google Workspace administrator with a Super Admin role. See Permissions your Google Workspace administrator needs below for more information.
Sharing permissions that files inherit from a parent folder are detected as new events for those files. In Forensic Search, the actor for these events identifies the user who applied those sharing permissions to the parent folder.
File events do not immediately appear when sharing with Google domains that are not configured with Code42.
If the ;drive SDK is disabled in Google Drive, Code42 does not monitor file activity on the user's Google Drive account.
Code42 does index the content of suspended users' Google Drives.
Files owned by suspended users are still accessible by any users those files have been shared with. Code42 monitors files owned by suspended users files for any activity generated by these shared users.

A single file event in Forensic Search may represent more than one action in cloud storage
There's not always a strict one-to-one relationship between the actions a user takes on a file in your corporate cloud storage environment and the file event representing those actions in Code42. After detecting activity, Code42 makes a best effort to interpret the user's actions on a file in cloud storage. Code42 may combine several of those actions into one file event to more efficiently and effectively display those details. For example, a user modifying a file repeatedly a few seconds apart in the cloud storage environment may appear as one "file modified" event in Forensic Search.

Throttling of API requests by the cloud storage vendor can also slow Code42's metadata collection and affect how file events are displayed in Forensic Search. Both this throttling and Code42's interpretation of actions can cause multiple actions in cloud storage to be displayed in fewer events in Forensic Search.

Before you begin

In your Google Drive environment, verify that third-party apps have access to Drive files. If the Allow users to access Google Drive with the Drive SDK API option is Off, edit the option to turn it on. Code42 cannot monitor your Google Drive environment if this setting is disabled.

If you connect Code42 to your Google Drive environment without this setting enabled, the connection enters an error state immediately following authorization.
If you disable this setting it while the connection has a status of Indexing or Monitoring, Code42 stops monitoring the drives in your Google Drive environment until it is re-enabled.

Authorize Code42's connection to Google Drive

Step 1: Connect Code42 to Google Drive

Sign in to the Code42 console.
Add a cloud storage data connection:
1. Select Administration > Integrations > Data Connections.
2. Click Add data connection.
  The Add data connection panel opens.
3. From Data connection, select Google Drive under Cloud storage.
  Note the Client ID and OAuth scopes details that appear near the bottom of the panel. You enter this information into the Google Admin console later in this procedure.
4. Enter a display name. This display name must be unique.
Authorize the Code42 app in Google:
1. Go to your Google Admin console and log in using your Google Workspace administrator username and password.
  
  Requires Super Admin role
  This email address must be associated with a Google Workspace administrator that has the Super Admin role.
2. Go to Security > Access and data control > API controls.
3. Click Manage domain wide delegation in the Domain wide delegation panel.
4. On the Domain-wide delegation page, click Add new next to API clients.
5. In the Add a new client ID dialog box:
  - Copy the Client ID from the Code42 console and paste it in the Client ID field.
  - Copy the OAuth scopes from the Code42 console and paste it in the in the OAuth scopes (comma-delimited) field.
6. Click Authorize.
  The Code42 cloud storage data connection is added to the API clients table.

Step 2: Add users

Return to the Code42 console.
In the Add data connection panel, select I've completed these steps under Complete these steps in Google Workspace and then click Continue.
The Add Users panel appears.
Select one of the following options:
- All: Monitors all Google Drive users in your environment, including any drives owned by suspended users.
- Specific users: Monitors only the Google Drive users you designate.
  1. Click Upload .CSV file.
  2. Select a .csv file containing a list of only those Google Drive users you want to monitor. For details, see Upload a .csv file listing Google Drive users below.
- Specific groups: Monitors only the users in Google Drive groups you designate.
  1. Click Upload .CSV file.
  2. Select a .csv file containing a list of Google Drive groups whose users you want to monitor. For details, see Upload a .csv file listing Google Drive groups below.
Monitoring of shared drives is dependent on in-scope users
Code42 monitors a shared drive only when at least one of its members is also a monitored user. During initial indexing, Code42 scans the shared drives in your Google Drive environment to identify their members. Code42 then determines which of those members are also users that are monitored by the Code42 connection. (You identify the members that are in scope for Code42 monitoring when you authorize its connection to your Google Drive environment.) If no members of that shared drive are users that are monitored, Code42 does not monitor that shared drive.

Step 3: Verify the setup

In the Add data connection dialog, click Continue.
The Verify panel appears.
Enter the Google Workspace username that you used earlier to log in to the Google Admin console.

Requires Super Admin role
This email address must be associated with a Google Workspace administrator that has the Super Admin role.
Click Authorize.
Google Drive is added as a data connection, and Code42 begins the initial indexing process.

Next steps

Once you have added Google Drive as a data connection, learn more about:

Common use cases for investigating incidents with Forensic Search
How to use Forensic Search
Adding trusted domains to easily identify when files are shared with users not on your list of approved domains.

Upload a .csv file

In Step 2, if you select Specific users or Specific groups and click Upload .CSV file, you must upload a .csv file that lists Google Drive users or groups you want to monitor.

General considerations for uploading a .csv file:

The .csv file is limited to 1,000 entries.
Uploading a new .csv replaces the existing list of people or groups being monitored.
Shared drives are monitored if at least one member is an in-scope user.

Monitoring of shared drives is dependent on in-scope users
Code42 monitors a shared drive only when at least one of its members is also a monitored user. During initial indexing, Code42 scans the shared drives in your Google Drive environment to identify their members. Code42 then determines which of those members are also users that are monitored by the Code42 connection. (You identify the members that are in scope for Code42 monitoring when you authorize its connection to your Google Drive environment.) If no members of that shared drive are users that are monitored, Code42 does not monitor that shared drive.

Upload a .csv file listing Google Drive users

To get a list of Google Drive users, see Google Workspace Admin Help. Create a .csv file from this list that contains only the users you want to monitor. Code42 reads usernames from column headers labeled Email Address [Required], Email Address, or Emailsin the .csv file. If these columns contain any entries that aren't email addresses, the upload produces an error.

Click to download an example of users identified by email address.

Upload a .csv file listing Google Drive groups

To create a Google Drive group, see the Google Workspace Learning Center. After your Google Drive groups are set up, create a .csv file that contains only the groups you want to monitor. In this file, use column headers to identify either the name or the email addresses of those groups.

Code42 reads the names of groups from the column header labeledGroup Name or Groups. Specify the names of the groups exactly as they appear in the Google Admin console.
Code42 reads a list of email addresses associated with a group from the column header labeled Email or Email Address. In the .csv file, specify the email address associated with each group.

Click to download an example of groups identified by email address.

If the .csv file does not contain at least one of these column headers, the upload produces an error.

Code42 looks for users associated with Google Drive groups as follows:

When a group's name or email address is provided, Code42 attempts to look up users associated with that group name or group email address.
If the group includes another group name or email address (a "nested" group), Code42 looks up users associated with that nested group as well.
If the group name or email address cannot be found, Code42 proceeds to the next entry in the .csv file. Code42 looks for that group or email address again every 24 hours.

As users are added and removed from the monitored groups, Code42 detects these changes within 24 hours and adjusts monitoring of user drives accordingly.

Users that are removed from monitored groups have their event history preserved so that it remains searchable in Forensic Search. When an unmonitored user in your Code42 organization shares a file with a monitored user, the events associated with that file are not captured because the unmonitored user is the owner of the file.

Required permissions

Permissions your Google Workspace administrator needs

For more information, see Data connection is not sending security data below.

Permissions the Code42 service account needs

As a service account, Code42 uses delegated domain-wide authority to collect file events from Google Drive. A file event is any activity observed for a file, such as creating, modifying, sharing, renaming, moving, or deleting a file. To see this file activity, Code42 requires access to your Google Drive environment.

In the configuration steps above, Code42 provides the following scopes for you to enter in your Google Admin console:

https://www.googleapis.com/auth/drive.readonly
https://www.googleapis.com/auth/admin.directory.user.readonly
https://www.googleapis.com/auth/admin.directory.group.readonly
https://www.googleapis.com/auth/admin.directory.customer.readonly
https://www.googleapis.com/auth/admin.reports.audit.readonly
https://www.googleapis.com/auth/admin.reports.usage.readonly

Configuring these scopes in the Google Admin console gives the Code42 API client delegated domain-wide authority to your Google Drive environment, and follows Google's recommendation for allowing service accounts to read content from user drives. Because of this authority, audit logs of your Google Workspace environment may show the Code42 Cloud Service account impersonating the owner of each user drive in order to read its contents.

Troubleshooting

Issues occurring during authorization

Email domain already exists

You can authorize a Google Workspace account for your Code42 environment only once as a cloud storage data connection (to monitor file movement in Google Drive locations) and once as an email service (to monitor file attachments sent outside your company).

When you attempt to register the same Google Workspace account for multiple cloud storage or email services, the following message appears during authorization: “A data connection with that email domain already exists.”

To resolve the issue:

Verify that the account has been added only once as a cloud storage data connection or only once as an email service.
Consider creating another Google Workspace account for the data you want to monitor using a new email address under a different domain. You can add multiple unique Google Workspace accounts as Code42 data connections as long as the accounts are not associated in any way (that is, the accounts use different domains or have administrators with unique email addresses).

Data connection is already registered or the email address is not valid

You can only authorize a unique Google Workspace account for one Code42 environment at a time. If you attempt to register the same Google Workspace account in multiple Code42 environments, the following message appears during authorization: “This data connection has already been registered or the email address is not valid for this domain.” For example, you register a Google Drive cloud storage data connection in one Code42 environment, then register a Gmail email service in another Code42 environment. Both belong to the same Google Workspace account.

To resolve the issue:

Verify the Code42 environment with which the Google Workspace account has been registered. If you need to register the Google Workspace account with a different Code42 environment, first deauthorize it from the Code42 environment it is currently registered with, then wait for 90 days for the data for that data connection to be purged automatically. To purge the data for that data connection more quickly, contact your Customer Success Manager (CSM).
Consider creating another Google Workspace account for the data you want to monitor in another Code42 environment using a new email address under a different domain.

Other issues

Data connection is not sending security data

In certain situations, Code42 may be unable to access your Google Drive environment to monitor its file activity. When Code42 is unable to gather data from your Google Drive environment, the following message appears at the top of the Data Connections screen after the Google Drive connection is authorized: "Data connection <ConnectionName> is not sending security data."

To resolve this issue, try the following solutions in the order listed.

Make sure that your Google Workspace administrator has the Super Admin role.
1. If needed, update permissions in the Google Admin console to give your administrator the Super Admin role.
2. After updating administrator permissions, deauthorize the Google Drive cloud storage data connection in the Code42 console.
3. Resume monitoring the Google Drive cloud storage data connection again using the email address of the administrator with the Super Admin role.
  The authorization process must be completed by someone who holds the Super Admin role in your Google Workspace. No other administrator levels are valid.
Verify that the permissions (or scopes) required by the Code42 service account have been added to your Google Workspace correctly.
Verify that Drive and Docs is turned on for everyone in your Google Workspace (or for everyone in the Google Workspace organizational unit that you want to monitor).
Code42 can only monitor file activity for the organizational units with Drive and Docs enabled.
Verify that third-party apps have access to Drive files. Code42 cannot monitor your Google Drive environment if this setting is disabled.

Slowed performance

Google uses API quotas to limit API requests from third-party integrations such as Code42. Throttling these API requests allows Google to better control their resources, but may slow down Code42 file metadata collection, especially after first enabling Code42 access to Gmail.

For faster performance, perform the following in the Google Admin console:

Increase the quotas for the Code42 integration.
Add additional Super Admin users, which will enable Code42 to process data more quickly.

Maximum user drive number exceeded

Code42 can monitor a maximum number of drives in your cloud storage environment, depending on vendor:

Box and Microsoft OneDrive: 500,000 drives
Google Drive: 55,000 drives

If Code42 detects more than the maximum number of drives, the following error appears at the top of the Data Connections screen: "The number of supported user drives (<DriveMaximum>) for this connector has been exceeded. Deauthorize the connector and reauthorize with fewer than <DriveMaximum> drives."

If you receive this message:

Deauthorize the cloud storage data connection.
Resume monitoring the cloud storage data connection.
You are prompted to set up the cloud storage data connection again.
In the Add Users step of the reauthorization process, select the Specific Users or Specific Groups option and ensure that the total number of drives included is below the maximum limit.

Reconfigure scoping for user and group monitoring

If needed, you can reconfigure the cloud storage's scoping to add new users or groups or switch from monitoring specific users to monitoring specific groups.

Deauthorize the cloud storage connection.
You do not need to remove the Code42 application from the cloud storage environment. The app registration remains valid even if it is deauthorized.
Resume monitoring the cloud storage connection.
You are prompted to set up the cloud storage connection again.
In the Add Users step of the reauthorization process, select the appropriate monitoring option, and then upload a new .csv file containing the updated users or groups you want to monitor.

File events aren't appearing for a shared drive

Code42 monitors a shared drive only when at least one of its members is an in-scope user. If file events aren't appearing for a shared drive as expected, examine the list of people or groups who have been assigned to that drive. Then, use one of these methods to adjust that user list as needed:

In Code42, reconfigure scoping in Code42 to add one or more members of that drive as users that are in scope for monitoring.
In Google Drive, add a user that is in scope for monitoring as a member of that shared drive.

Usernames are missing from "Shared with users" lists

Code42 automatically filters the list of users a file is shared with in Google Drive to exclude any username that is not an email address. Such usernames are typically associated with service or integration accounts with sharing permissions in your Google environment instead of end users, and generally aren't useful for investigating file events.

While these usernames may appear in Google Drive, Code42 only displays user names that are email addresses in "Shared with users" lists in Forensic Search or alert notifications.

External resources

Google: Set file-sharing permissions for organizations
Google: Apply policies to different users
Google: OAuth 2.0 Scopes for Google APIs