View cloud storage files
Overview
The Box, Google Drive, and Microsoft OneDrive data connections collect event metadata about the user activity that occurs in each of these cloud storage environments. Incydr does not collect and retain copies of the files involved in that activity for review following exfiltration. When users take risky actions like sharing a file publicly, the event metadata alone may not create a complete picture of the risk involved to your organization. To better assess that risk if you are not already included in the file's sharing permissions, you can request temporary access from Box, Google Drive, or OneDrive to view an exfiltrated file's contents.
When you view a cloud storage file, Code42 makes a request to the vendor environment on your behalf using the permissions you authorized for the data connection during setup. The vendor then temporarily adds you to the sharing permissions on that file with view-only access, and opens the file for viewing.
Considerations
- You can view files only in Box, Google Drive, or Microsoft OneDrive cloud storage environments that are monitored by a Code42 data connection.
- For OneDrive and Google Drive, viewing a file requires additional OneDrive permissions or Google Drive scopes. To add these new permissions or scopes to these data connections if they don't already exist, deauthorize and resume monitoring the data connection.
- Box notifies the original file owner when you are added to its sharing permissions to view it. This notification informs the file owner that you have accepted a collaboration invite. These notifications cannot be disabled in your Box account.
Google Drive and Microsoft OneDrive do not notify the original file owner. - In order to view the files in a cloud storage environment, the status of the data connection must be Monitoring.
- Temporary view access expires after 15 minutes. During that 15 minutes, the file owner and any shared users that have edit permissions may be able to see that you have view access to that file.
View a cloud storage file's contents
- Sign in to the Code42 console.
- Locate the cloud storage sharing event for the file.
You can access information about file events from many places, such as Forensic Search, Cases, Alerts, the All Users list, and the Risk Exposure dashboard. - Open the event details for that file.
- In the Filename row, click View file.
- If you're requesting access to a Box file, a confirmation message appears notifying you that the original file owner will be notified. Click Yes, request to continue.
This notification informs the file owner that you have accepted a collaboration invite. These notifications cannot be disabled in Box. - Code42 opens a new browser tab and requests that the vendor updates the sharing permissions to grant you view-only access to that file.
- When the vendor successfully adds you to the file's sharing permissions, the file opens in that tab.
- If you cannot be added to the sharing permissions for that file, an error message appears explaining why.
- If you're requesting access to a Box file, a confirmation message appears notifying you that the original file owner will be notified. Click Yes, request to continue.
Expiration
After 15 minutes, your temporary view access expires automatically.
- If you request temporary view access to a file that is already shared with you, those existing permissions are not affected.
- If you request temporary view access to the same file within the same 15 minute window, your existing temporary view-only access rights are verified but the timer does not reset.
Audit log
When you view a cloud storage file, Code42 records the following details in the Audit Log:
- Temporary access was requested and that request succeeded or failed.
- Temporary access expired.
Troubleshoot errors
If your view request fails, see below for ways to resolve the issue.