Data Connections reference

Provides a yes/no option to capture file contents when a monitored user sends an attachment via your email data connections.

• Yes: Incydr captures the attached file contents, plus extensive metadata about the file. Administrators with the required permissions can download the attached file for review.
• No: Incydr does not capture the file contents. As a result, less metadata is available in the file activity details.

Email attachments are not collected in FedRAMP environments, and there is no option to enable this setting for FedRAMP.

Adds and configures a new data connection.

The vendor of the data connection:

• Business tools
  • Salesforce
• Cloud storage

  • Box

  • Google Drive
  • Microsoft OneDrive for Business
• Email
  • Google Gmail
  • Microsoft Office 365

Displays the data connection type, either Business tools, Cloud storage, or Email.

Displays the name you use to distinguish between connections. For example, if your organization has two different Google Workspace accounts for US and UK employees, you could name each account's Google Drives to help identify them as such. This name must be unique.

Displays the status of the connection between Incydr and the data connection. For details, see Data connection statuses.

Click to view more information about that connection.

The name given to the data connection when it was set up.

The business tool (Salesforce), cloud storage provider (Box, Google Drive, or Microsoft OneDrive for Business) or email service provider (Google Gmail or Microsoft Office 365).

The data connection type: Business tools, Cloud storage, or Email.

The scope used to identify what to monitor for the connection:

• For Salesforce, the connection can be scoped to all users, only specific users, or only the users in specific groups. Of these users that are in scope, Incydr then identifies which users have the "Report export" permission in Salesforce and monitors only those users.
• For cloud storage, Incydr can monitor the drives for all users, drives of specific users, or drives of users in specific groups. For Google Drive, shared drives are monitored only when at least one member is a user that is monitored by Incydr.
• For email services, Incydr can monitor all email accounts for all users, only the email accounts for specific users, or only the email accounts of users in specific groups.

Click Export users as CSV to download a list of in-scope users. 

The status of the connection between Incydr and the external environment. This status refreshes automatically. 

For details, see Data connection statuses.

Displays a summary of the data connection's status and configuration history, including the date and username for each action.

The status history shows the 5 most recent updates. For additional status updates, click View all to review the complete history in the Audit log.

Click to deauthorize the connection, or to resume monitoring a connection that has been deauthorized. Because Incydr removes its connection immediately after you deauthorize the Salesforce, Gmail, and Microsoft Office 365 services, the Resume monitoring button is unavailable for these data connections. Instead, set up the service again as a new connection to monitor Salesforce report exports or Gmail or Microsoft Office 365 emails.

This action is not available for cloud storage or email service connections with a status of Searching for drives/email accounts, Maintenance, Deauthorizing, or Deleting.

Initializing

Incydr has connected to the external environment and is discovering all of the drives and all of the email accounts for the users that are in scope for monitoring in your environment.

For email services, this initialization process does not inventory user inboxes. Instead, Incydr discovers all email accounts for the users that are monitored in your environment and registers those accounts for monitoring.

While the email accounts that have completed registration with Incydr begin reporting ongoing attachment activity immediately, the email service connection does not transition to the Monitoring status until all user email accounts in your environment are discovered and have completed registration.

Salesforce
Incydr has discovered all in-scope users and has identified which of those users have the "Report export" permission in Salesforce. Only those users can export reports generated from Salesforce data, so Incydr monitors only those users.

Incydr discovers any new users that have been added to your Salesforce environment (and determines whether they have the required permissions and should be monitored) within 8 hours.

Cloud storage connections

As soon as you authorize the Incydr connection to your cloud storage environment, Incydr immediately begins monitoring your cloud storage environment for ongoing file activity. At the same time, Incydr completes an inventory of all of the files for all discovered drives that are within scope to gather baseline data. File events become available in Incydr soon after they occur. If file activity occurs for file that has not yet been inventoried, that file is immediately inventoried and subsequent file activity is sent to Incydr.

This initial inventory process does not calculate hash values for files. Instead, hashes are calculated when subsequent activity for that file is detected.

After the initial inventory completes, the Monitoring status indicates that Incydr is monitoring for ongoing file activity while also checking for new files. Any new files discovered during monitoring are hashed. By default Incydr checks the cloud storage environment every 5 minutes for new files and the latest file activity.

The Data Connection details for a cloud storage connection lists the total number of unique users for which Incydr has discovered drives in your environment and is monitoring for ongoing activity. A second section lists similar values for shared or team drives in Google Drive.

Incydr's discovery of new drives added to your environment depend on the cloud storage provider:

• New Box drives are discovered within a few minutes of their creation
• New drives added to Google Drive and OneDrive environments are discovered within 8 hours

All drives are inventoried immediately after discovery.

Email service connections

Incydr is connected to the email service and is monitoring outbound email activity for file attachments. The total number of user email accounts that are in scope for monitoring is listed. New email accounts are discovered at midnight and are registered for monitoring.

Incydr is currently performing maintenance on the data connection. The connection is still being monitored for file or email activity, but these events won't be displayed in Incydr until maintenance completes. After maintenance completes, Incydr displays all file events collected during that maintenance period.

There was an error connecting to the external environment. This typically occurs when a majority of users, user drives, or email accounts are inaccessible to Incydr due to permissions or licensing issues within the environment. This can also occur immediately after a service is authorized if that service is already registered to Incydr.

To address common errors with most cloud storage services, deauthorize and resume monitoring that data connection. Contact our Technical Support Engineers with persistent errors.

Incydr is removing its authorization to monitor the external environment. For services with a large number of users, drives, or email accounts that are monitored by Incydr, this process may take an hour or longer. When this process completes, the status moves to Deauthorized.

Incydr's connection to the external environment has been removed and no new event activity is being collected.

For cloud service connections, the connection remains deauthorized and is listed in the table for 90 days following the date of deauthorization. All discovered drives and existing file events remain in Incydr for those 90 days and can be viewed in Forensic Search. Once the 90-day period expires, Incydr deletes this connection along with all information collected. To resume monitoring the connection after deletion, you need to re-authorize it.

For Salesforce and the Gmail and Microsoft Office 365 email services, Incydr immediately removes the connection from the table (along with its configuration and authorization details) after deauthorization. File events collected from the service before it was deauthorized remain searchable in Forensic Search for up to 90 days. To resume monitoring a Salesforce environment or a Gmail or Microsoft Office 365 email service, add it again as a new connection.

Incydr is removing its connection to the external environment and deleting any information about that connection, such as initialized drive information and collected file events. For services with a large number of users, drives, or email accounts that are monitored by Incydr, this process may take an hour or longer. When this process completes, the connection is removed from the Data Connections table.

Selects the service to add:

• Business tools
  • Salesforce
• Cloud storage
  • Box
  • Google Drive
  • Microsoft OneDrive for Business 
• Email
  • Google Gmail
  • Microsoft Office 365

The name you use to distinguish between services, for example, for different Google Drive accounts for US employees and UK employees. This name must be unique.

Is this data connection for a GCC High environment?

(not pictured)

Appears only in federal (FedRAMP) environments.

For Microsoft OneDrive and Office 365 data connections, select Yes or No based on your environment type.

If you don't know your environment type, contact your Microsoft administrator before continuing. You must select the correct environment type to authorize the connection.

Inventory monitored drives

(not pictured)

Performs a point-in-time analysis of the sharing state for the files in all in-scope drives.

• This data is only collected once and only available for the duration of your data retention period.
• Results appear in the Day 1 cloud sharing risk assessment report in Incydr Labs. You can also query results in Forensic Search by filtering for events where the Event action includes the value Inventoried.
• Use caution when enabling this setting. Inventorying all drives consumes significant resources and may take a week or more to complete. In some cases, it may also cause the cloud service to throttle API requests, which can adversely affect the performance of other, non-Incydr activity in the cloud service.