Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Trust and cloud activity

Overview

Incydr monitors file activity that takes place in both personal and corporate cloud storage accounts. When file activity is detected, Incydr applies its trusted activity model to those events. This article explains how Incydr applies defined or inferred trust to file events in cloud storage to identify and prioritize untrusted activity.

Trusted cloud file activity

Users can interact with files in cloud services by:

  1. Uploading files to a cloud service either from a browser or a desktop sync app.
  2. Changing sharing permissions to share files with other users in corporate cloud storage drives.
  3. Emailing attachments through cloud-based email services.
  4. Downloading reports from Salesforce environments.

Incydr determines whether file activity generated by these methods is trusted using either defined or inferred trust. Because identifying trust depends on the method used to interact with the cloud storage service, each method requires different configuration.

Files uploaded to cloud services

Users can upload files to the cloud using either a browser (when checking files into a source code repository or adding files to a cloud storage drive) or a desktop sync app (such as the Slack desktop application or any desktop sync app that syncs local and cloud files). Incydr determines whether these uploads are trusted using both defined and inferred trust.

  • Many cloud services have well-defined structures that allow personal activity to be easily differentiated from corporate use. For example:
    • Source code repositories contain unique structures in URLs that categorize projects, branches, and products.
    • Jira or OneDrive corporate tools use unique URL addresses to identify corporate sites.
    • Slack provides unique workspace names for organizations, clubs, and social groups.
    Set up trusted activity in Data Preferences to define the activity that occurs in these structures as trusted. 
  • Google Drive currently does not provide the information needed to differentiate uploads to personal drives from those to corporate locations. Thus, Incydr uses inferred trust to determine when a file has been uploaded from a monitored endpoint to a monitored corporate drive to identify it as trusted.
  Browser activity Desktop sync activity
Example trusted action
  • File uploaded to a trusted domain (such as a corporate Jira or OneDrive domain), to a specific URL path (a trusted GitHub repository), or to a Slack workspace via a web browser
  • File uploaded to a corporate Google Drive
File synced to a drive via the Google Drive for desktop (formerly Google Drive File Stream)
Type of trust applied Defined
Metadata evaluated for trust Tab URL, Tab title Domain, Sync username
Configuration needed
  • Set up trusted activity in Data Preferences.
  • For Google Drive:
    1. Connect Code42 to the corporate environment in Data Connections.
    2. Verify that the Incydr agent is installed on user endpoints.
  1. Set up trusted domains in Data Preferences.
  2. (Optional): Add a cloud alias to a user profile to define activity associated with that alias as trusted.
Can I use defined trust for a specific cloud service via a URL?
Defined trust can only be established when the cloud service easily differentiates between personal and corporate accounts by using unique structures or paths in the URL.

The following list describes whether common cloud service vendors provide unique URLs:

  • OneDrive: Yes
  • Box: Yes, only if you configure a custom URL (which is not required)
  • DropBox: No
  • Google Drive: No

Files shared in corporate cloud storage

Corporate cloud storage services like Box, Google Drive, and OneDrive allow users to share files with other collaborators using tools available in the browser after logging in. File sharing permissions changes can only be detected by Code42's data connections.

  Sharing activity
Example trusted action File in a corporate Box, Google Drive, or Microsoft OneDrive is shared with internal coworkers
Type of trust applied Defined
Metadata evaluated for trust Email domains of Shared with recipients
Configuration needed Connect Code42 to the vendor environment in Data Connections

Attachments sent through cloud-based email services

A common exfiltration vector is email: users can simply send sensitive attachments to a personal email address, or inadvertently to other untrusted recipients. Incydr determines whether this activity is trusted using defined trust.

  Email activity
Example trusted action
  • Attachments sent from your corporate domain to trusted recipients
  • Email sent from your corporate Gmail or Microsoft Office 365 email accounts to trusted recipients
Type of trust applied Defined
Metadata evaluated for trust Email domains
Configuration needed

Set up trusted domains in Data Preferences

 

If your organization uses Gmail or Office 365 email, connect Code42 to those environments in Data Connections

 

(Optional) Add a cloud alias to a user profile to define attachments emails by that alias as trusted

Reports downloaded from Salesforce

Business services like Salesforce house your vital business data in databases and reporting tools. By monitoring this environment directly, Code42 can identify when reports containing critical business data have been downloaded to an unmonitored device. Without this level of monitoring, you might not know that a report had been downloaded to a personal computer or mobile device at all.

  Salesforce report downloads
Example trusted action Report in Salesforce is downloaded to an endpoint that is monitored by Incydr
Type of trust applied Inferred
Metadata evaluated for trust Code42 username, cloud alias
Configuration needed
  1. Connect Code42 to the Salesforce environment in Data Connections, and scope it to monitor the users who can export reports in Salesforce
  2. Verify that the Incydr agent is installed on endpoints for users who can export reports in Salesforce
  3. (Optional) Add a cloud alias to a user profile to define Salesforce report downloads by that alias as trusted

Considerations

  • Incydr evaluates events for exact matches of the trusted activity defined in Data Preferences, although wildcards are allowed for more flexibility. Use caution with leading and trailing wildcards as you can inadvertently trust unintended destinations.
  • Users may have usernames in cloud storage destinations that differ from their username in Code42, which can cause events to be flagged as untrusted. Add cloud aliases to user profiles to trust activity associated with these differing user names.
  • Files downloaded into a folder syncing with a cloud service are automatically categorized as trusted activity because the file is not being exfiltrated from the device. (Only applies to Incydr Professional, Enterprise, Horizon, and Gov F2.)
  • Inferred trust uses an authorized data connection and the Code42 agent installed on an employee's endpoint. If a user is in scope for monitoring by the data connector but does not have an endpoint that is monitored by Incydr (or vice versa), corresponding file events cannot be matched, resulting in events falsely being flagged as untrusted.
  • Matching of cloud activity with corresponding endpoint activity to determine inferred trust can take up to one hour.
  • Delayed detection of corresponding file events can cause Incydr to flag sharing in corporate cloud services as untrusted. This can happen if the vendor has throttled the Code42 data connection's API requests or if the employee's endpoint is offline or powered down immediately following the activity.
  • Some vendors are better than others at using separate domains for personal versus corporate cloud storage.
    • Use defined trust when you can easily differentiate personal accounts from corporate accounts. Vendors that require unique corporate domains include:
      • Microsoft OneDrive
      • Box, if you configure a custom subdomain for your corporate environment (which is not required or enabled by default)
    • Connect Code42 to the corporate cloud storage environment in Data Connections to use inferred trust when you cannot easily differentiate personal accounts from corporate accounts. Inferred trust works well for these vendors:
      • Google Drive, which does not provide unique URLs or useful tab title information to clearly identify personal accounts
      • Box, if you have not configured a custom subdomain for your corporate environment
      • Microsoft OneDrive, as a failsafe and backup in case defined trust cannot be determined or if trusted activity is not configured in Data Preferences
  • Was this article helpful?