Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

View cloud storage files


The Box, Google Drive, and Microsoft OneDrive data connections collect event metadata about the user activity that occurs in each of these cloud storage environments. Incydr does not collect and retain copies of the files involved in that activity for review following exfiltration. When users take risky actions like sharing a file publicly, the event metadata alone may not create a complete picture of the risk involved to your organization. To better assess that risk if you are not already included in the file's sharing permissions, you can request temporary access from Box, Google Drive, or OneDrive to view an exfiltrated file's contents.

When you view a cloud storage file, Code42 makes a request to the vendor environment on your behalf using the permissions you authorized for the data connection during setup. The vendor then temporarily adds you to the sharing permissions on that file with view-only access, and opens the file for viewing.


  • You can view files only in Box, Google Drive, or Microsoft OneDrive cloud storage environments that are monitored by a Code42 data connection.
  • For OneDrive and Google Drive, viewing a file requires additional OneDrive permissions or Google Drive scopes. To add these new permissions or scopes to these data connections if they don't already exist, deauthorize and resume monitoring the data connection.
  • Box notifies the original file owner when you are added to its sharing permissions to view it. This notification informs the file owner that you have accepted a collaboration invite. These notifications cannot be disabled in your Box account.
    Google Drive and Microsoft OneDrive do not notify the original file owner.
  • In order to view the files in a cloud storage environment, the status of the data connection must be Monitoring
  • Temporary view access expires after 15 minutes. During that 15 minutes, the file owner and any shared users that have edit permissions may be able to see that you have view access to that file.
  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

View a cloud storage file's contents

  1. Sign in to the Code42 console.
  2. Locate the cloud storage sharing event for the file.
    You can access information about file events from many places, such as Forensic Search, Cases, Alerts, the All Users list, and the Risk Exposure dashboard.
  3. Open the event details for that file.
  4. In the Filename row, click View file.
    View file button in the Filename row of the event details
    • If you're requesting access to a Box file, a confirmation message appears notifying you that the original file owner will be notified. Click Yes, request to continue.
      This notification informs the file owner that you have accepted a collaboration invite. These notifications cannot be disabled in Box.
    • Code42 opens a new browser tab and requests that the vendor updates the sharing permissions to grant you view-only access to that file.
    • When the vendor successfully adds you to the file's sharing permissions, the file opens in that tab.
    • If you cannot be added to the sharing permissions for that file, an error message appears explaining why.


After 15 minutes, your temporary view access expires automatically.

  • If you request temporary view access to a file that is already shared with you, those existing permissions are not affected.
  • If you request temporary view access to the same file within the same 15 minute window, your existing temporary view-only access rights are verified but the timer does not reset.

Audit log

When you view a cloud storage file, Code42 records the following details in the Audit Log:

  • Temporary access was requested and that request succeeded or failed.
  • Temporary access expired.

Troubleshoot errors

If your view request fails, see below for ways to resolve the issue.

Insufficient permissions

  • The cloud storage data connection does not have a status of Monitoring. Resolve any errors with the data connection and try again.
  • The Code42 Google Drive or OneDrive data connection does not have the permissions required to fulfill your request. Deauthorize and resume monitoring the data connection to add the permissions required. For details on the permissions needed, see the following articles:

File not found

  • The file may have been moved or deleted from the environment and cannot be found.
  • Use Forensic Search to identify whether the filename or MD5/SHA256 hash exists on any other monitored devices or cloud storage drives for investigation.

Username not found

  • You are not a user in your organization's Box, Google Drive, or OneDrive environment.
  • Your Code42 username does not match your username in the cloud storage environment.
  • Contact your administrator to be added to the cloud storage environment or to resolve username mismatches.

Request denied

The vendor may have throttled the Code42 data connection.

  • Throttling can happen when too many API requests have been made to access information about file activity (such as during initial indexing). In OneDrive, throttling is based on all applications' requests. Requests from the Code42 data connection may be impacted by other applications in your OneDrive account.
  • Verify that the data connection has completed the initial inventory process and that it is not currently discovering files. Try to view the file again later when fewer (or no) requests are being made.

Something went wrong

An unknown error occurred, preventing your request. Return to the event details and try again.

  • Was this article helpful?