Connect Code42 to Google Drive

Overview

To help protect you from data loss, you can use Code42 to monitor files moving to and from users' Google Drive.

When you add Google Drive as a data connection, you must authorize Code42 as a registered client API using your administrator account in Google Workspace (formerly G Suite). Once connected, we monitor your organization's Google Drive environment to capture when a user:

This article explains how to add Google Drive as a data connection.

Considerations

The following considerations apply to Google Drive. See also the considerations applicable to all cloud storage environments.

Code42 can connect to your Google Drive environment only when supported by your Google product plan.
To allow Code42 access to Google Drive, you must be a Google Workspace administrator with a Super Admin role. See Permissions required for the Google Drive connector for more information.
Sharing permissions that files inherit from a parent folder are detected as new events for those files. In Forensic Search, the actor for these events identifies the user who applied those sharing permissions to the parent folder.
File events do not immediately appear when sharing with Google domains that are not configured with Code42.
If the Drive SDK is disabled in Google Drive, Code42 does not monitor file activity on the user's Google Drive account.
Code42 does inventory the content of suspended users' Google Drives.
Files owned by suspended users are still accessible by any users those files have been shared with. Code42 monitors files owned by suspended users files for any activity generated by these shared users.

Monitoring and alerting tools may report download activity
When ongoing file activity is detected, Code42 temporarily streams files from your cloud storage or email service to the Code42 cloud to calculate the file hash. (Code42 does not calculate hash value during the initial inventory process.)

This appears in your vendor logs as users downloading files. The requesting service's IP address may point to Microsoft Azure hosts. Consider adding these IP addresses to your allowlist to reduce false alerts in your vendor logs, keeping in mind that these addresses can change.

Code42 never stores file contents or writes them to disk during this process.

A single file event in Forensic Search may represent more than one action in cloud storage
There's not always a strict one-to-one relationship between the actions a user takes on a file in your corporate cloud storage environment and the file event representing those actions in Code42. After detecting activity, Code42 makes a best effort to interpret the user's actions on a file in cloud storage. Code42 may combine several of those actions into one file event to more efficiently and effectively display those details. For example, a user modifying a file repeatedly a few seconds apart in the cloud storage environment may appear as one "file modified" event in Forensic Search.

Throttling of API requests by the cloud storage vendor can also slow Code42's metadata collection and affect how file events are displayed in Forensic Search. Both this throttling and Code42's interpretation of actions can cause multiple actions in cloud storage to be displayed in fewer events in Forensic Search.

Before you begin

Before you authorize the Code42 connection to your Google Drive environment, follow the directions in Configure Google Drive for the Code42 data connection to properly set up your Google Drive environment to allow Code42 to collect data.

Authorize Code42's connection to Google Drive

Step 1: Connect Code42 to Google Drive

Sign in to the Code42 console.
Add a cloud storage data connection:
1. Select Administration > Integrations > Data Connections.
2. Click Add data connection.
  The Add data connection panel opens.
3. From Data connection, select Google Drive under Cloud storage.
  Note the Client ID and OAuth scopes details that appear near the bottom of the panel. You enter this information into the Google Admin console later in this procedure.
4. Enter a display name. This display name must be unique.
Authorize the Code42 app in Google:
1. Go to your Google Admin console and log in using your Google Workspace administrator username and password.
  
  Requires Super Admin role
  This email address must be associated with a Google Workspace administrator that has the Super Admin role.
2. Go to Security > Access and data control > API controls.
3. At the bottom of the page in the Domain wide delegation panel, click Manage domain wide delegation.
  You may need to scroll to see the Domain wide delegation panel. Do not confuse the Manage domain wide delegation link in this panel with the Manage third-party app access link in the App access control panel. When you click Manage domain wide delegation, the Domain-wide delegation page displays.
4. On the Domain-wide delegation page, click Add new next to API clients.
5. In the Add a new client ID dialog box:
  - Copy the Client ID from the Code42 console and paste it in the Client ID field.
  - Copy the OAuth scopes from the Code42 console and paste it in the in the OAuth scopes (comma-delimited) field.
6. Click Authorize.
  The Code42 cloud storage data connection is added to the API clients table.

Step 2: Add users

Return to the Code42 console.
In the Add data connection panel, select I've completed these steps under Complete these steps in Google Workspace and then click Continue.
The Add Users panel appears.
Select one of the following options:
- All: Monitors all Google Drive users in your environment, including any drives owned by suspended users.
- Specific users: Monitors only the Google Drive users you designate.
  1. Click Upload .CSV file.
  2. Select a .csv file containing a list of only those Google Drive users you want to monitor.
- Specific groups: Monitors only the users in Google Drive groups you designate.
  1. Click Upload .CSV file.
  2. Select a .csv file containing a list of Google Drive groups whose users you want to monitor.
Monitoring of shared drives is dependent on in-scope users
Code42 monitors a shared drive only when at least one of its members is also a monitored user. During the initial inventory process, Code42 scans the shared drives in your Google Drive environment to identify their members. Code42 then determines which of those members are also users that are monitored by the Code42 connection. (You identify the members that are in scope for Code42 monitoring when you authorize its connection to your Google Drive environment.) If no members of that shared drive are users that are monitored, Code42 does not monitor that shared drive.

Step 3: Verify the setup

In the Add data connection dialog, click Continue.
The Verify panel appears.
Enter the Google Workspace username that you used earlier to log in to the Google Admin console.

Requires Super Admin role
This email address must be associated with a Google Workspace administrator that has the Super Admin role.
Click Authorize.
Google Drive is added as a data connection, and Code42 begins the initial inventory process.

Next steps

Once you have added Google Drive as a data connection, learn more about:

Common use cases for investigating incidents with Forensic Search
How to use Forensic Search
Adding trusted domains to easily identify when files are shared with users not on your list of approved domains.
Viewing and managing a cloud storage file's sharing permissions

Troubleshooting

Issues in your Google Drive environment can cause errors with the Code42 connection. When such issues occur, the Google Drive connection in the Data Connections table is highlighted in red and an error message is displayed at the top of the screen. When this occurs, click the Google Drive connection in the Data Connections table. The detail panel opens and lists the specific error so that you can resolve it.

Refer to these articles to troubleshoot specific errors that can appear for the Google Drive connection in the Data Connections list:

Other issues

Refer to the following articles:

External resources

Google documentation