Cloud storage data connections overview

Overview

As part of your insider risk detection strategy, allow Code42 access to your corporate cloud storage environments. Once connected, Code42 monitors that cloud storage environment to capture when a user:

  • Creates or uploads a file
  • Shares a link to a file
  • Shares a file directly with users inside or outside your organization
  • Deletes a file
  • Modifies a file's contents, name, or location

To connect Code42 to a cloud storage environment for monitoring, see one of these articles:

Considerations

Roles and permissions

Limitations

  • Code42 can monitor a maximum number of drives in a cloud storage environment, depending on vendor.
    • Box and Microsoft OneDrive: 500,000 drives
    • Google Drive: 55,000 drives
      Shared drives in Google Drive do not contribute to this limit. Code42 can monitor unlimited shared drives in Google Drive.
  • Code42 prioritizes file-based monitoring. Detection of folder sharing permissions changes in Box and OneDrive environments may not be reflected as file activity or may be delayed.
  • Drives and files owned by suspended (Google Drive and Box) or blocked (OneDrive) users may still generate events if they are shared with others. When other users interact with those shared drives or files, those users may generate file activity that is captured by Code42. No new activity is generated by the suspended or blocked user.

Code42's access to data

  • Once authorized, Code42 has access to metadata on users, files, and drives.
  • Code42 does not store information about the administrator account used for authentication. The administrator who authorizes the cloud storage connection is solely granting permission for Code42 to read specific data in your environment.
Monitoring and alerting tools may report download activity
When ongoing file activity is detected, Code42 temporarily streams files from your cloud storage or email service to the Code42 cloud to calculate the file hash. (Code42 does not calculate hash value during the initial inventory process.) 

This appears in your vendor logs as users downloading files. The requesting service's IP address may point to Microsoft Azure hosts. Consider adding these IP addresses to your allowlist to reduce false alerts in your vendor logs, keeping in mind that these addresses can change. 

Code42 never stores file contents or writes them to disk during this process.

Supported cloud storage vendor plans

Code42 can only connect to your cloud storage environment when supported by that vendor's plan or license. For more information, see Vendor license requirements for Code42 data connections.

How is cloud storage monitoring different?

You may already be familiar with how Code42 monitors file activity on employee devices. Code42's monitoring of activity in cloud storage differs in that it primarily detects changes in sharing permissions for files stored in your organization's cloud drives. This detection helps to identify possible exfiltration of files or unauthorized user access to those files. These two types of monitoring are not synonymous.

  • Endpoint monitoring: Desktop sync apps (such as the Google File Stream app) installed on endpoints allow users to sync new or modified files on their devices with cloud-based storage for on-demand access anywhere. Code42 monitors and detects such activity with its endpoint monitoring tools.
  • Cloud storage monitoring: Cloud storage applications (for example, a corporate Google Drive or Microsoft OneDrive that users sign into using a web browser) allow users to share files in that environment with other collaborators using the tools in the browser. Code42 monitors and detects this activity directly through its authorized connection to your organization's cloud environment without involving employee endpoints at all.

Together, this monitoring gives you a fuller picture of data movement. Code42's endpoint monitoring tracks file activity to and from employee endpoints, while its cloud storage connections track files that users share with others in your organization's cloud drives to detect unauthorized external access.

Initial inventory process

Once you connect Code42 to your cloud storage environment, Code42 starts monitoring your environment for file activity right away. During the initial configuration, you can also opt to take an inventory of the drives in that environment. During this process, Code42 discovers all of the users who are in scope for monitoring, then identifies all of their drives and inventories all of the files on those drives. If a file is not yet inventoried and file activity occurs, the file is immediately inventoried and subsequent file activity is sent to Code42. The time to complete the initial inventory of a drive depends on the number of files in the drive, not the size of the files.

As Code42 progresses through the initial inventory, information about the number of unique users for which drives have been identified and processed is listed under Status on the cloud storage's details panel. This status lists the total number of users in your environment whose drives are being monitored for ongoing activity. For Google Drive, a second section repeats these details for shared drives.

To speed up this process, file hashes are omitted. As a result, you see the message Hash Unavailable. File not modified since initial inventory in the MD5 Hash and SHA256 Hash fields displayed for these files in Forensic Search. (Google may provide an MD5 hash value if it is available.) Files are hashed when new file activity occurs.

OneDrive shared libraries are not inventoried, discovered, or monitored
Code42 cannot inventory, discover, or monitor shared libraries in your OneDrive environment. While you can create a shared library within OneDrive, such libraries are actually created as Team Sites in SharePoint. Because Code42 can only monitor drives in OneDrive (and not Team Sites in SharePoint, Teams, or Outlook), any shared libraries in your environment are excluded. 

How long does the initial inventory take?

The length of time it takes for the initial inventory to complete is dependent on the size of your environment.

  • For environments that contain hundreds of drives, the initial inventory may take between 24 and 72 hours depending on the number of files in each user's drives. The inventory process can take longer if Code42's connection to the cloud environment is throttled. Throttling may occur for these reasons:
    • Google Drive connections can be throttled based on the number of requests made by both the Code42 service per user drive and by all services in the account as a whole
    • OneDrive connections can be throttled based on all requests (including those from Code42) for the account as a whole
    • Box connections can be throttled based on requests made by Code42 per user drive
  • For environments that contain thousands of drives, the initial inventory completes over a longer period. Typically, drives in larger environments complete the inventory process over these time frames:
    • 60% of total drives complete between 24 and 72 hours
    • 25% of total drives complete between 3 and 5 days
    • 15% of total drives complete between 6 and 10 days

Because Code42 monitors your environment for activity while completing an inventory of users' drives, it detects newly uploaded or created files typically within minutes. However, it can take up to 75 minutes for file events to appear in Forensic Search, and 75-90 minutes to appear in alerts, dashboards, and the User Profile.

In Google Drive and One Drive environments, Code42 discovers new drives that have been added to your environment within 8 hours. For Box, Code42 discovers new drives typically within a few minutes. After discovery, new drives are inventoried immediately.

Activity Code42 monitors in cloud storage

As with files on endpoints, Code42 detects when users add, edit, copy or move, and remove or delete files stored in drives in your cloud storage environment. And just as the cloud environment itself enhances productivity by allowing your employees to collaborate by sharing files, Code42 secures that collaboration by detecting when files are shared publicly or with external users to identify possible unauthorized access. Code42 displays information about all detected file events and file sharing permissions changes in the file event metadata for further investigation.

For more information, see Cloud storage activity monitored by a Code42 data connection.

Cloud storage file activity in Forensic Search

Code42 displays all file activity detected in your cloud environment in Forensic Search to aid investigations. For more information about how to search for cloud storage file activity, see View cloud storage file activity in Incydr.