Introduction to adding data connections

Overview

To help protect you from data loss, you can use Incydr to monitor:

• Reports that are exported from your business data in Salesforce
• Files that are shared in corporate cloud storage environments (for example, Box, Google Drive, and OneDrive)
• Attachments that are sent through email services (such as Office 365 Outlook)

You can also connect other third-party systems or workflows to Incydr via Incydr Flows, speeding the process for detecting, investigating, and responding to insider risks.

This article introduces data connections and Incydr Flows, how to plan for and implement them, and how to view their data and troubleshoot issues in Incydr.

Plan for and implement data connections and Incydr Flows

To connect Incydr to a vendor environment, you generally complete these steps:

1. Learn about data connections and Incydr Flows.
2. Confirm you have the correct licensing for your vendor environment.
3. For data connections, identify the users who are in scope for monitoring by the connector.
4. Understand the permissions required and the access that those permissions grant the connector in the vendor environment.
5. Complete any configuration required in the vendor environment in preparation for the connection.
6. Authorize the connection in Incydr.
7. For data connections, locate and view file activity in Incydr.
8. Troubleshoot issues as they arise.

Learn about data connections and Incydr Flows

To understand what data connectors or Incydr Flows do and how they work, see these articles:

• Salesforce data connection overview
• Cloud storage data connections overview
• Email services overview
• Cloud storage activity monitored by an Incydr data connection
• Identify IP addresses used by Incydr data connectors
• Introduction to Incydr Flows

Confirm vendor licensing

Incydr data connections require certain licensing in your vendor environment in order to connect to it. See Vendor license requirements for Incydr data connections for more information.

For Incydr Flows, Incydr Professional Services can provide details on any additional licensing that's required. Contact your Customer Success Manager (CSM) to engage the Incydr Professional Services team.

Plan user scoping

"Scoping" a data connection involves identifying the users you want the connection to monitor while excluding low risk users, service accounts, or other "users" that don't generate meaningful file activity. For more information, see Scope a data connection.

Note that the Incydr Salesforce data connection only monitors the users who are both in scope and also have the "Report export" permission in that environment. For more information, see Identify Salesforce users with the "Report export" permission.

Understand permissions

When you connect Incydr to a vendor environment, you grant Incydr permissions in that environment during the authorization process. For more information on these permissions and what they allow Incydr to do, see the following articles:

• Permissions required for the Box connector
• Permissions required for the Google Drive connector
• Permissions required for the Microsoft OneDrive connector
• Permissions required for the Gmail connector
• Permissions required by the Microsoft Office 365 email connector

For Incydr Flows, Incydr Professional Services can provide details on any permissions that are required. Contact your Customer Success Manager (CSM) to engage the Incydr Professional Services team.

Complete vendor configuration

Both Incydr data connections and Incydr Flows require that you complete some additional configuration in the vendor environment before you can connect Incydr to it. For more information, see these articles:

• Configure Salesforce for the Incydr data connection
• Configure Box for the Incydr data connection
• Configure Google Drive for the Incydr data connection
• Configure Microsoft for the Incydr OneDrive data connection
• Configure Incydr Flows

Email data connections for Gmail and Microsoft Office 365 email do not require any additional configuration.

Authorize the connection in Incydr

Once you're ready to connect Incydr to vendor environments, see these articles:

• Connect Incydr to Salesforce
• Connect Incydr to Box
• Connect Incydr to Google Drive
• Connect Incydr to OneDrive
• Connect Incydr to Gmail
• Connect Incydr to Microsoft Office 365 email
• Configure Incydr Flows

View file activity in Incydr

After you connect to the vendor environment, Incydr detects file activity in that environment and displays those details in various areas in Incydr (such as on dashboards, in Forensic Search, in alert notifications, and in user activity). For more information, see:

• View downloaded Salesforce report activity in Incydr
• View cloud storage file activity in Incydr
• Data Connections reference
• Resolve slowed performance of Google Drive and Gmail data collection
• Troubleshoot missing file events for Google Drive
• Troubleshoot missing file events for Microsoft Office 365 email
• Usernames are missing from Google Drive "Shared with users" lists

Incydr Flows don't show file activity directly in Incydr. Instead, Incydr Flows either:

• Complete tasks within Incydr (such as adding employees to watchlists for additional monitoring) based on information from vendor systems
• Send notifications to security analysts in other systems (such as Slack or Microsoft teams) based on user activity that has triggered an alert in Incydr.

For more information, see Introduction to Incydr Flows.

Troubleshoot issues

When issues arise, consult these articles for help troubleshooting a data connection to resolve errors:

• Deauthorize and resume monitoring a data connection
• Resolve "There is an issue with the connection" error
• Resolve maximum user drives exceeded errors
• Resolve email domain already exists error
• Troubleshoot app permission errors for Microsoft OneDrive and Office 365 email
• Resolve "Microsoft Audit Log is inaccessible" errors for OneDrive
• Resolve Salesforce API quota errors
• Resolve Salesforce connected app revocation errors
• Resolve Salesforce service account user or profile errors
• Resolve required Salesforce event stream errors

Incydr Flows email you when issues occur. Follow the instructions in the email message to resolve these errors.

Considerations

• You can register a Google Workspace (formerly G Suite) or Microsoft 365 account in a single Incydr environment only:
  • Once as a cloud storage connection, to monitor file movement in Google Drive or OneDrive locations
  • Once as an email service connection, to monitor file attachments emailed from Gmail or Office 365 Outlook accounts
  You cannot register the same account as more than one cloud storage or email service data connection. For example, you cannot register a Google Drive cloud storage data connection scoped to your Accounting users and a second Google Drive cloud storage data connection scoped to Development users when they belong to the same Google Workspace account.
• You can only register a Google Workspace or Microsoft 365 account for one Incydr environment at a time. For example, you cannot register a OneDrive cloud storage data connection in one environment and an Office 365 email service connection in another environment when both belong to the same Microsoft 365 account.
• You can register two (or more) unique Google Workspace or Microsoft 365 accounts as long as these accounts are not associated in any way.
• Incydr only monitors one domain in a Google Workspace account even though multiple domains may exist in that account. Incydr monitors only the domain associated with the administrator email address that was used to register the Google Drive or Gmail service.
• Incydr Flows are not available in the Incydr federal environment.