View cloud storage files

Updated

Overview

The Box, Google Drive, and Microsoft OneDrive data connections collect event metadata about the user activity that occurs in each of these cloud storage environments. Incydr does not collect and retain copies of the files involved in that activity for review following exfiltration. When users take risky actions like sharing a file publicly, the event metadata alone may not create a complete picture of the risk involved to your organization. To better assess that risk if you are not already included in the file's sharing permissions, you can request temporary access from Box, Google Drive, or OneDrive to view an exfiltrated file's contents.

When you view a cloud storage file, Incydr makes a request to the vendor environment on your behalf using the permissions you authorized for the data connection during setup. The vendor then temporarily adds you to the sharing permissions on that file with view-only access, and opens the file for viewing.

Considerations

  • You can view files only in Box, Google Drive, or Microsoft OneDrive cloud storage environments that are monitored by a Incydr data connection.
  • You must be signed in as a user with the Security Center - Restore or Security Center - Restore - Cloud role to view files.
  • For OneDrive and Google Drive, viewing a file requires additional OneDrive permissions or Google Drive scopes. To add these new permissions or scopes to these data connections if they don't already exist, deauthorize and resume monitoring the data connection.
  • To view the files in a cloud storage environment, the status of the data connection must be Monitoring.
  • Temporary view access expires after 15 minutes. During that 15 minutes, the file owner and any shared users that have edit permissions may be able to see that you have view access to that file.

User notifications

  • Box notifies the original file owner when you are granted temporary permission to view a file. This notification informs the file owner that you have accepted a collaboration invite. These notifications cannot be disabled in the Box admin console.
  • Google Drive and OneDrive may notify the original file owner when you are granted temporary permission to view a file. Notifications depend on the user's Google or Microsoft preferences. If the file owner enables these notifications, they are notified that the file has been shared with you. These notifications cannot be disabled by an administrator.

View a cloud storage file's contents

  1. Sign in to the Incydr console.
  2. Locate the cloud storage sharing event for the file.
    You can access information about file events from many places, such as Forensic Search, Cases, Alerts, the All Users list, and the Risk Exposure dashboard.
  3. Open the event details for that file.
  4. In the Filename row, click View file.
    View file button in the Filename row of the event details
    • If you're requesting access to a Box file, a confirmation message appears notifying you that the original file owner will be notified. Click Yes, request to continue.
      This notification informs the file owner that you have accepted a collaboration invite. These notifications cannot be disabled in Box.
    • Incydr opens a new browser tab and requests that the vendor updates the sharing permissions to grant you view-only access to that file.
    • When the vendor successfully adds you to the file's sharing permissions, the file opens in that tab.
    • If you cannot be added to the sharing permissions for that file, an error message appears explaining why.

Expiration

After 15 minutes, your temporary view access expires automatically.

  • If you request temporary view access to a file that is already shared with you, those existing permissions are not affected.
  • If you request temporary view access to the same file within the same 15 minute window, your existing temporary view-only access rights are verified but the timer does not reset.

Audit log

When you view a cloud storage file, Incydr records the following details in the Audit Log:

  • Temporary access was requested and that request succeeded or failed.
  • Temporary access expired.

Troubleshoot errors

If your view request fails, see below for ways to resolve the issue.

Insufficient permissions

  • The cloud storage data connection does not have a status of Monitoring. Resolve any errors with the data connection and try again.
  • The Incydr data connection for Google Drive or OneDrive does not have the permissions required to fulfill your request. Deauthorize and resume monitoring the data connection to add the permissions required. For details on the permissions needed, see the following articles:

File not found

  • The file may have been moved or deleted from the environment and cannot be found.
  • Use Forensic Search to identify whether the filename or MD5/SHA256 hash exists on any other monitored devices or cloud storage drives for investigation.

Username not found

  • You are not a user in your organization's Box, Google Drive, or OneDrive environment.
  • Your Incydr username does not match your username in the cloud storage environment.
  • Contact your administrator to be added to the cloud storage environment or to resolve username mismatches.

Request denied

The vendor may have throttled the Incydr data connection.

  • Throttling can happen when too many API requests have been made to access information about file activity (such as during initial indexing). In OneDrive, throttling is based on all applications' requests. Requests from the Incydr data connection may be impacted by other applications in your OneDrive account.
  • Verify that the data connection has completed the initial inventory process and that it is not currently discovering files. Try to view the file again later when fewer (or no) requests are being made.

Something went wrong

An unknown error occurred, preventing your request. Return to the event details and try again.

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.