Data Connections reference

Overview

Use the Data Connections page in the Code42 console to add and manage third-party services that are connected to Code42.

Considerations

To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

Data Connections

To add and manage data connections, go to Administration > Integrations > Data Connections.

Data Connections list

Item Description
a Add data connection

Adds and configures a new data connection.

b Service

The vendor of the data connection:

  • Business tools
    • Salesforce
  • Cloud storage
    • Box

    • Google Drive
    • Microsoft OneDrive for Business
  • Email
    • Google Gmail
    • Microsoft Office 365
c Service type

Displays the data connection type, either Business tools, Cloud storage, or Email.

d Display name

Displays the name you use to distinguish between connections. For example, if your organization has two different Google Workspace accounts for US and UK employees, you could name each account's Google Drives to help identify them as such. This name must be unique.

e Status

Displays the status of the connection between Code42 and the data connection. For details, see Data connection statuses.

f

View details View details

Click to view more information about that connection.

Data connection details

For any connection listed in the Data Connections table, click View details View details to view more information.

Data connection details with annotations

Item Description
a Display name

The name given to the data connection when it was set up.

b Service

The business tool (Salesforce), cloud storage provider (Box, Google Drive, or Microsoft OneDrive for Business) or email service provider (Google Gmail or Microsoft Office 365).

c Service type

The data connection type: Business tools, Cloud storage, or Email.

d Scoped to

The scope used to identify what to monitor for the connection:

  • For Salesforce, the connection can be scoped to all users, only specific users, or only the users in specific groups. Of these users that are in scope, Code42 then identifies which users have the "Report export" permission in Salesforce and monitors only those users.
  • For cloud storage, Code42 can monitor the drives for all users, drives of specific users, or drives of users in specific groups. For Google Drive, shared drives are monitored only when at least one member is a user that is monitored by Code42.
  • For email services, Code42 can monitor all email accounts for all users, only the email accounts for specific users, or only the email accounts of users in specific groups.

Click Export users as CSV to download a list of in-scope users. 

e Status

The status of the connection between Code42 and the external environment. This status refreshes automatically. 

For details, see Data connection statuses.

f Status history

A brief history of the data connection, including the date the connection was initially added along with the username of the Code42 administrator that configured the connection. The date and time does not update if you deauthorize and then resume monitoring the cloud storage or email service connection.

g Deauthorize / Resume monitoring

Click to deauthorize the connection, or to resume monitoring a connection that has been deauthorized. Because Code42 removes its connection immediately after you deauthorize the Salesforce, Gmail, and Microsoft Office 365 services, the Resume monitoring button is unavailable for these data connections. Instead, set up the service again as a new connection to monitor Salesforce report exports or Gmail or Microsoft Office 365 emails.

This action is not available for cloud storage or email service connections with a status of Searching for drives/email accounts, Maintenance, Deauthorizing, or Deleting.

Data connection statuses

The Data Connections table's Status column displays the status of Code42's connection to the external service. For cloud storage connections, more specific drive information appears on the Data Connection details under Status.

Status Description

Initializing

Code42 has connected to the external environment and is discovering all of the drives and all of the email accounts for the users that are in scope for monitoring in your environment.

For email services, this initialization process does not inventory user inboxes. Instead, Code42 discovers all email accounts for the users that are monitored in your environment and registers those accounts for monitoring.

While the email accounts that have completed registration with Code42 begin reporting ongoing attachment activity immediately, the email service connection does not transition to the Monitoring status until all user email accounts in your environment are discovered and have completed registration.

Deauthorization is unavailable for services with this status
You cannot deauthorize a cloud storage or email service's connection when it is in this status. Wait for the status to move to either Monitoring or Monitoring, inventory in progress to deauthorize it.
Monitoring

Salesforce
Code42 has discovered all in-scope users and has identified which of those users have the "Report export" permission in Salesforce. Only those users can export reports generated from Salesforce data, so Code42 monitors only those users.

Code42 discovers any new users that have been added to your Salesforce environment (and determines whether they have the required permissions and should be monitored) within 8 hours.

Cloud storage connections

As soon as you authorize the Code42 connection to your cloud storage environment, Code42 immediately begins monitoring your cloud storage environment for ongoing file activity. At the same time, Code42 completes an inventory of all of the files for all discovered drives that are within scope to gather baseline data. File events become available in Code42 soon after they occur. If file activity occurs for file that has not yet been inventoried, that file is immediately inventoried and subsequent file activity is sent to Code42.

This initial inventory process does not calculate hash values for files. Instead, hashes are calculated when subsequent activity for that file is detected.

After the initial inventory completes, the Monitoring status indicates that Code42 is monitoring for ongoing file activity while also checking for new files. Any new files discovered during monitoring are hashed. By default Code42 checks the cloud storage environment every 5 minutes for new files and the latest file activity.

The Data Connection details for a cloud storage connection lists the total number of unique users for which Code42 has discovered drives in your environment and is monitoring for ongoing activity. A second section lists similar values for shared or team drives in Google Drive.

Code42's discovery of new drives added to your environment depend on the cloud storage provider:

  • New Box drives are discovered within a few minutes of their creation
  • New drives added to Google Drive and OneDrive environments are discovered within 8 hours

All drives are inventoried immediately after discovery.

Email service connections

Code42 is connected to the email service and is monitoring outbound email activity for file attachments. The total number of user email accounts that are in scope for monitoring is listed. New email accounts are discovered at midnight and are registered for monitoring.

Maintenance

Code42 is currently performing maintenance on the data connection. The connection is still being monitored for file or email activity, but these events won't be displayed in Code42 until maintenance completes. After maintenance completes, Code42 displays all file events collected during that maintenance period.

Error

There was an error connecting to the external environment. This typically occurs when a majority of users, user drives, or email accounts are inaccessible to Code42 due to permissions or licensing issues within the environment. This can also occur immediately after a service is authorized if that service is already registered to Code42.

To address common errors with most cloud storage services, deauthorize and resume monitoring that data connection. Contact our Technical Support Engineers with persistent errors.

Deauthorizing

Code42 is removing its authorization to monitor the external environment. For services with a large number of users, drives, or email accounts that are monitored by Code42, this process may take an hour or longer. When this process completes, the status moves to Deauthorized.

Deauthorized

Code42's connection to the external environment has been removed and no new event activity is being collected.

For cloud service connections, the connection remains deauthorized and is listed in the table for 90 days following the date of deauthorization. All discovered drives and existing file events remain in Code42 for those 90 days and can be viewed in Forensic Search. Once the 90-day period expires, Code42 deletes this connection along with all information collected. To resume monitoring the connection after deletion, you need to re-authorize it.

For Salesforce and the Gmail and Microsoft Office 365 email services, Code42 immediately removes the connection from the table (along with its configuration and authorization details) after deauthorization. File events collected from the service before it was deauthorized remain searchable in Forensic Search for up to 90 days. To resume monitoring a Salesforce environment or a Gmail or Microsoft Office 365 email service, add it again as a new connection.

Deleting

Code42 is removing its connection to the external environment and deleting any information about that connection, such as initialized drive information and collected file events. For services with a large number of users, drives, or email accounts that are monitored by Code42, this process may take an hour or longer. When this process completes, the connection is removed from the Data Connections table.

Add data connection

To add a cloud storage or email service connection, click Add data connection.

Add data connection

Item Description
a Data connection

Selects the service to add:

b Display name

The name you use to distinguish between services, for example, for different Google Drive accounts for US employees and UK employees. This name must be unique.

 

Inventory monitored drives

(not pictured)

Performs a point-in-time analysis of the sharing state for the files in all in-scope drives.

  • This data is only collected once and only available for the duration of your data retention period.
  • Results appear in the Day 1 cloud sharing risk assessment report in Incydr Labs. You can also query results in Forensic Search by filtering for events where the Event action includes the value Inventoried.
  • Use caution when enabling this setting. Inventorying all drives consumes significant resources and may take a week or more to complete. In some cases, it may also cause the cloud service to throttle API requests, which can adversely affect the performance of other, non-Incydr activity in the cloud service.