Overview
As part of your insider risk detection strategy, allow Code42 access to your corporate cloud storage environments. Once connected, Code42 monitors that cloud storage environment to capture when a user:
To connect Code42 to a cloud storage environment for monitoring, see one of these articles:
Considerations
Roles and permissions
- Your product plan must include at least one cloud storage data connection. If your license expires, the cloud storage connection is deauthorized within 24 hours. Contact your Customer Success Manager (CSM) for assistance with licensing. If you're not sure how to reach your CSM, please contact our Technical Support Engineers.
- To connect to a cloud storage environment, you must have the appropriate permissions in that environment as well as in Code42.
- Box: You must be a Box admin (or co-admin with the required permissions) to authorize the connection to Code42.
- Google Drive: You must be a Google Workspace administrator with a Super Admin role to authorize the connection to Code42.
- Microsoft OneDrive: You must be a OneDrive global administrator to authorize the connection to Code42.
- If you need to change the credentials or other account information used to authorize Code42's connection to the cloud storage environment, temporarily deauthorize the cloud storage connection, then reauthorize with the new account information.
Limitations
- Code42 can monitor a maximum number of drives in a cloud storage environment, depending on vendor.
- Box and Microsoft OneDrive: 500,000 drives
-
Google Drive: 55,000 drives
Shared drives in Google Drive do not contribute to this limit. Code42 can monitor unlimited shared drives in Google Drive.
- Code42 prioritizes file-based monitoring. Detection of folder sharing permissions changes in Box and OneDrive environments may not be reflected as file activity or may be delayed.
- Drives and files owned by suspended (Google Drive and Box) or blocked (OneDrive) users may still generate events if they are shared with others. When other users interact with those shared drives or files, those users may generate file activity that is captured by Code42. No new activity is generated by the suspended or blocked user.
Code42's access to data
- Once authorized, Code42 has access to metadata on users, files, and drives.
- Code42 does not store information about the administrator account used for authentication. The administrator who authorizes the cloud storage connection is solely granting permission for Code42 to read specific data in your environment.
Supported cloud storage vendor plans
Code42 can only connect to your cloud storage environment when supported by that vendor's plan or license. For more information, see Vendor license requirements for Code42 data connections.
How is cloud storage monitoring different?
You may already be familiar with how Code42 monitors file activity on employee devices. Code42's monitoring of activity in cloud storage differs in that it primarily detects changes in sharing permissions for files stored in your organization's cloud drives. This detection helps to identify possible exfiltration of files or unauthorized user access to those files. These two types of monitoring are not synonymous.
- Endpoint monitoring: Desktop sync apps (such as the Google File Stream app) installed on endpoints allow users to sync new or modified files on their devices with cloud-based storage for on-demand access anywhere. Code42 monitors and detects such activity with its endpoint monitoring tools.
- Cloud storage monitoring: Cloud storage applications (for example, a corporate Google Drive or Microsoft OneDrive that users sign into using a web browser) allow users to share files in that environment with other collaborators using the tools in the browser. Code42 monitors and detects this activity directly through its authorized connection to your organization's cloud environment without involving employee endpoints at all.
Together, this monitoring gives you a fuller picture of data movement. Code42's endpoint monitoring tracks file activity to and from employee endpoints, while its cloud storage connections track files that users share with others in your organization's cloud drives to detect unauthorized external access.
Initial inventory process
Once you connect Code42 to your cloud storage environment, Code42 starts monitoring your environment for file activity right away. During the initial configuration, you can also opt to take an inventory of the drives in that environment. During this process, Code42 discovers all of the users who are in scope for monitoring, then identifies all of their drives and inventories all of the files on those drives. If a file is not yet inventoried and file activity occurs, the file is immediately inventoried and subsequent file activity is sent to Code42. The time to complete the initial inventory of a drive depends on the number of files in the drive, not the size of the files.
As Code42 progresses through the initial inventory, information about the number of unique users for which drives have been identified and processed is listed under Status on the cloud storage's details panel. This status lists the total number of users in your environment whose drives are being monitored for ongoing activity. For Google Drive, a second section repeats these details for shared drives.
To speed up this process, file hashes are omitted. As a result, you see the message Hash Unavailable. File not modified since initial inventory in the MD5 Hash and SHA256 Hash fields displayed for these files in Forensic Search. (Google may provide an MD5 hash value if it is available.) Files are hashed when new file activity occurs.
Code42 cannot inventory, discover, or monitor shared libraries in your OneDrive environment. While you can create a shared library within OneDrive, such libraries are actually created as Team Sites in SharePoint. Because Code42 can only monitor drives in OneDrive (and not Team Sites in SharePoint, Teams, or Outlook), any shared libraries in your environment are excluded.
How long does the initial inventory take?
The length of time it takes for the initial inventory to complete is dependent on the size of your environment.
Because Code42 monitors your environment for activity while completing an inventory of users' drives, it detects newly uploaded or created files typically within minutes. However, it can take up to 75 minutes for file events to appear in Forensic Search, and 75-90 minutes to appear in alerts, dashboards, and the User Profile.
In Google Drive and One Drive environments, Code42 discovers new drives that have been added to your environment within 8 hours. For Box, Code42 discovers new drives typically within a few minutes. After discovery, new drives are inventoried immediately.
Activity Code42 monitors in cloud storage
As with files on endpoints, Code42 detects when users add, edit, copy or move, and remove or delete files stored in drives in your cloud storage environment. And just as the cloud environment itself enhances productivity by allowing your employees to collaborate by sharing files, Code42 secures that collaboration by detecting when files are shared publicly or with external users to identify possible unauthorized access. Code42 displays information about all detected file events and file sharing permissions changes in the file event metadata for further investigation.
- Information about file events (such as file additions, modifications, or deletions) is reported under specific event actions in the file event metadata.
- Information about how a file is sharing in the Share type field in the file event metadata.
For more information, see Cloud storage activity monitored by a Code42 data connection.
Cloud storage file activity in Forensic Search
Code42 displays all file activity detected in your cloud environment in Forensic Search to aid investigations. For more information about how to search for cloud storage file activity, see View cloud storage file activity in Incydr.