Overview
To help protect you from data loss, you can use Code42 to monitor:
- Reports that are exported from your business data in Salesforce
- Files that are shared in corporate cloud storage environments (for example, Box, Google Drive, and OneDrive)
- Attachments that are sent through email services (such as Office 365 Outlook)
You can also connect other third-party systems or workflows to Code42 via Incydr Flows, speeding the process for detecting, investigating, and responding to insider risks.
This article introduces data connections and Incydr Flows, how to plan for and implement them, and how to view their data and troubleshoot issues in Incydr.
Plan for and implement data connections and Incydr Flows
To connect Incydr to a vendor environment, you generally complete these steps:
- Learn about data connections and Incydr Flows.
- Confirm you have the correct licensing for your vendor environment.
- For data connections, identify the users who are in scope for monitoring by the connector.
- Understand the permissions required and the access that those permissions grant the connector in the vendor environment.
- Complete any configuration required in the vendor environment in preparation for the connection.
- Authorize the connection in Incydr.
- For data connections, locate and view file activity in Incydr.
- Troubleshoot issues as they arise.
Learn about data connections and Incydr Flows
To understand what data connectors or Incydr Flows do and how they work, see these articles:
Confirm vendor licensing
Code42 data connections require certain licensing in your vendor environment in order to connect to it. See Vendor license requirements for Code42 data connections for more information.
For Incydr Flows, Code42 Professional Services can provide details on any additional licensing that's required. Contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.
Plan user scoping
"Scoping" a data connection involves identifying the users you want the connection to monitor while excluding low risk users, service accounts, or other "users" that don't generate meaningful file activity. For more information, see Scope a data connection.
Note that the Code42 Salesforce data connection only monitors the users who are both in scope and also have the "Report export" permission in that environment. For more information, see Identify Salesforce users with the "Report export" permission.
Understand permissions
When you connect Code42 to a vendor environment, you grant Code42 a number of permissions in that environment during the authorization process. For more information on these permissions and what they allow Code42 to do, see the following articles:
- Permissions required for the Box connector
- Permissions required for the Google Drive connector
- Permissions required for the Microsoft OneDrive connector
- Permissions required for the Gmail connector
- Permissions required by the Microsoft Office 365 email connector
For Incydr Flows, Code42 Professional Services can provide details on any permissions that are required. Contact your Customer Success Manager (CSM) to engage the Code42 Professional Services team.
Complete vendor configuration
Both Code42 data connections and Incydr Flows require that you complete some additional configuration in the vendor environment before you can connect Code42 to it. For more information, see these articles:
- Configure Salesforce for the Code42 data connection
- Configure Box for the Code42 data connection
- Configure Google Drive for the Code42 data connection
- Configure Microsoft for the Code42 OneDrive data connection
- Configure Incydr Flows
Email data connections for Gmail and Microsoft Office 365 email do not require any additional configuration.
Authorize the connection in Incydr
Once you're ready to connect Code42 to vendor environments, see these articles:
View file activity in Incydr
After you connect to the vendor environment, Code42 detects file activity in that environment and displays those details in various areas in Incydr (such as on dashboards, in Forensic Search, in alert notifications, and in user activity). For more information, see:
- View downloaded Salesforce report activity in Incydr
- View cloud storage file activity in Incydr
- Data Connections reference
- Resolve slowed performance of Google Drive and Gmail data collection
- Troubleshoot missing file events for Google Drive
- Troubleshoot missing file events for Microsoft Office 365 email
- Usernames are missing from Google Drive "Shared with users" lists
Incydr Flows don't show file activity directly in Incydr. Instead, Incydr Flows either:
- Complete tasks within Incydr (such as adding employees to watchlists for additional monitoring) based on information from vendor systems
- Send notifications to security analysts in other systems (such as Slack or Microsoft teams) based on user activity that has triggered an alert in Incydr.
For more information, see Introduction to Incydr Flows.
Troubleshoot issues
When issues arise, consult these articles for help troubleshooting a data connection to resolve errors:
- Deauthorize and resume monitoring a data connection
- Resolve "There is an issue with the connection" error
- Resolve maximum user drives exceeded errors
- Resolve email domain already exists error
- Troubleshoot app permission errors for Microsoft OneDrive and Office 365 email
- Resolve "Microsoft Audit Log is inaccessible" errors for OneDrive
- Resolve Salesforce API quota errors
- Resolve Salesforce connected app revocation errors
- Resolve Salesforce service account user or profile errors
- Resolve required Salesforce event stream errors
Incydr Flows email you when issues occur. Follow the instructions in the email message to resolve these errors.
Considerations
- You can register a Google Workspace (formerly G Suite) or Microsoft 365 account in a single Code42 environment only:
- Once as a cloud storage connection, to monitor file movement in Google Drive or OneDrive locations
- Once as an email service connection, to monitor file attachments emailed from Gmail or Office 365 Outlook accounts
- You can only register a Google Workspace or Microsoft 365 account for one Code42 environment at a time. For example, you cannot register a OneDrive cloud storage data connection in one Code42 environment and an Office 365 email service connection in another Code42 environment when both belong to the same Microsoft 365 account.
- You can register two (or more) unique Google Workspace or Microsoft 365 accounts as long as these accounts are not associated in any way.
- Code42 only monitors one domain in a Google Workspace account even though multiple domains may exist in that account. Code42 monitors only the domain associated with the administrator email address that was used to register the Google Drive or Gmail service.
- Incydr Flows are not available in the Code42 federal environment.