Cloud storage data connections overview

Last updated
Save as PDF

Overview

As part of your insider risk detection strategy, allow Code42 access to your corporate cloud storage environments. Once connected, Code42 monitors that cloud storage environment to capture when a user:

To connect Code42 to a cloud storage environment for monitoring, see one of these articles:

Considerations

Roles and permissions

Your product plan must include at least one cloud storage data connection. If your license expires, the cloud storage connection is deauthorized within 24 hours. Contact your Customer Success Manager (CSM) for assistance with licensing. If you're not sure how to reach your CSM, please contact our Technical Support Engineers.
To connect to a cloud storage environment, you must have the appropriate permissions in that environment as well as in Code42.
- Box: You must be a Box admin (or co-admin with the required permissions) to authorize the connection to Code42.
- Google Drive: You must be a Google Workspace administrator with a Super Admin role to authorize the connection to Code42.
- Microsoft OneDrive: You must be a OneDrive global administrator to authorize the connection to Code42.
If you need to change the credentials or other account information used to authorize Code42's connection to the cloud storage environment, temporarily deauthorize the cloud storage connection, then reauthorize with the new account information.
To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr.

Limitations

Code42 can monitor a maximum number of drives in a cloud storage environment, depending on vendor.
- Box and Microsoft OneDrive: 500,000 drives
- Google Drive: 55,000 drives
  Shared drives in Google Drive do not contribute to this limit. Code42 can monitor unlimited shared drives in Google Drive.
Code42 prioritizes file-based monitoring. Detection of folder sharing permissions changes in Box and OneDrive environments may not be reflected as file activity or may be delayed.
Drives and files owned by suspended (Google Drive and Box) or blocked (OneDrive) users may still generate events if they are shared with others. When other users interact with those shared drives or files, those users may generate file activity that is captured by Code42. No new activity is generated by the suspended or blocked user.

Code42's access to data

Once authorized, Code42 has access to metadata on users, files, and drives.
Code42 does not store information about the administrator account used for authentication. The administrator who authorizes the cloud storage connection is solely granting permission for Code42 to read specific data in your environment.

Monitoring and alerting tools may report download activity
When ongoing file activity is detected, Code42 temporarily streams files from your cloud storage or email service to the Code42 cloud to calculate the file hash. (Code42 does not calculate hash value during the initial inventory process.)

This appears in your vendor logs as users downloading files. The requesting service's IP address may point to Microsoft Azure hosts. Consider adding these IP addresses to your allowlist to reduce false alerts in your vendor logs, keeping in mind that these addresses can change.

Code42 never stores file contents or writes them to disk during this process.

Supported cloud storage vendor plans

Code42 can only connect to your cloud storage environment when supported by that vendor's plan or license. For more information, see Vendor license requirements for Code42 data connections.

How is cloud storage monitoring different?

You may already be familiar with how Code42 monitors file activity on employee devices. Code42's monitoring of activity in cloud storage differs in that it primarily detects changes in sharing permissions for files stored in your organization's cloud drives. This detection helps to identify possible exfiltration of files or unauthorized user access to those files. These two types of monitoring are not synonymous.

Endpoint monitoring: Desktop sync apps (such as the Google File Stream app) installed on endpoints allow users to sync new or modified files on their devices with cloud-based storage for on-demand access anywhere. Code42 monitors and detects such activity with its endpoint monitoring tools.
Cloud storage monitoring: Cloud storage applications (for example, a corporate Google Drive or Microsoft OneDrive that users sign into using a web browser) allow users to share files in that environment with other collaborators using the tools in the browser. Code42 monitors and detects this activity directly through its authorized connection to your organization's cloud environment without involving employee endpoints at all.

Together, this monitoring gives you a fuller picture of data movement. Code42's endpoint monitoring tracks file activity to and from employee endpoints, while its cloud storage connections track files that users share with others in your organization's cloud drives to detect unauthorized external access.

Initial inventory process

Once you connect Code42 to your cloud storage environment, Code42 starts monitoring your environment for file activity right away. At the same time, Code42 begins taking an inventory of the drives in that environment. During this process, Code42 discovers all of the users who are in scope for monitoring, then identifies all of their drives and inventories all of the files on those drives. If a file is not yet inventoried and file activity occurs, the file is immediately inventoried and subsequent file activity is sent to Code42. The time to complete the initial inventory of a drive is directly related to the number of files within the drive, not the size of the files.

As Code42 progresses through the initial inventory, information about the number of unique users for which drives have been identified and processed is listed under Status on the cloud storage's details panel. This status lists the total number of users in your environment whose drives are being monitored for ongoing activity. For Google Drive, a second section repeats these details for shared drives.

To speed up this process, file hashes are omitted. As a result, you see the message Hash Unavailable. File not modified since initial inventory in the MD5 Hash and SHA256 Hash fields displayed for these files in Forensic Search. (Google may provide an MD5 hash value if it is available.) Files are hashed when new file activity occurs.

OneDrive shared libraries are not inventoried, discovered, or monitored
Code42 cannot inventory, discover, or monitor shared libraries in your OneDrive environment. While you can create a shared library within OneDrive, such libraries are actually created as Team Sites in SharePoint. Because Code42 can only monitor drives in OneDrive (and not Team Sites in SharePoint, Teams, or Outlook), any shared libraries in your environment are excluded.

How long does the initial inventory take?

The length of time it takes for the initial inventory to complete is dependent on the size of your environment.

For environments that contain hundreds of drives, the initial inventory may take between 24 and 72 hours depending on the number of files in each user's drives. The inventory process can take longer if Code42's connection to the cloud environment is throttled. Throttling may occur for these reasons:
- Google Drive connections can be throttled based on the number of requests made by both the Code42 service per user drive and by all services in the account as a whole
- OneDrive connections can be throttled based on all requests (including those from Code42) for the account as a whole
- Box connections can be throttled based on requests made by Code42 per user drive
For environments that contain thousands of drives, the initial inventory completes over a longer period. Typically, drives in larger environments complete the inventory process over these time frames:
- 60% of total drives complete between 24 and 72 hours
- 25% of total drives complete between 3 and 5 days
- 15% of total drives complete between 6 and 10 days

Because Code42 monitors your environment for activity while completing an inventory of users' drives, it detects newly uploaded or created files typically within minutes. It can take up to 20 minutes for file events in your environment to appear in search results in Forensic Search or to trigger any alert rules that you have set up. New file events may take up to an hour to appear on the Risk Exposure dashboard or in the User Profile.

In Google Drive and One Drive environments, Code42 discovers new drives that have been added to your environment within 8 hours. For Box, Code42 discovers new drives typically within a few minutes. After discovery, new drives are inventoried immediately.

Activity Code42 monitors in cloud storage

As with files on endpoints, Code42 detects when users add, edit, copy or move, and remove or delete files stored in drives in your cloud storage environment. And just as the cloud environment itself enhances productivity by allowing your employees to collaborate by sharing files, Code42 secures that collaboration by detecting when files are shared publicly or with external users to identify possible unauthorized access. Code42 displays information about all detected file events and file sharing permissions changes in the file event metadata for further investigation.

Information about file events (such as file additions, modifications, or deletions) is reported under specific event actions in the file event metadata.
Information about how a file is sharing in the Share type field in the file event metadata.

For more information, see Cloud storage activity monitored by a Code42 data connection.

Cloud storage file activity in Forensic Search

Code42 displays all file activity detected in your cloud environment in Forensic Search to aid investigations. For more information about how to search for cloud storage file activity, see View cloud storage file activity in Incydr.