Connect Incydr to Google Drive

Updated

Overview

To help protect you from data loss, you can use Incydr to monitor files moving to and from users' Google Drive.

When you add Google Drive as a data connection, you must authorize Incydr as a registered client API using your administrator account in Google Workspace (formerly G Suite). Once connected, we monitor your organization's Google Drive environment to capture when a user: 

  • Creates or uploads a file
  • Downloads a file
  • Shares a link to a file
  • Shares a file directly with users inside or outside your organization
  • Deletes a file

This article explains how to add Google Drive as a data connection. 

Considerations

The following considerations apply to Google Drive. See also the considerations applicable to all cloud storage environments.

  • Incydr can connect to your Google Drive environment only when supported by your Google product plan.
  • To allow Incydr access to Google Drive, you must be a Google Workspace administrator with a Super Admin role. See Permissions required for the Google Drive connector for more information.
  • Sharing permissions that files inherit from a parent folder are detected as new events for those files. In Forensic Search, the actor for these events identifies the user who applied those sharing permissions to the parent folder.
  • File events do not immediately appear when sharing with Google domains that are not configured with Incydr. 
  • If the Drive SDK is disabled in Google Drive, Incydr does not monitor file activity on the user's Google Drive account. 
  • Incydr does inventory the content of suspended users' Google Drives.
  • Files owned by suspended users are still accessible by any users those files have been shared with. Incydr monitors files owned by suspended users files for any activity generated by these shared users.

Monitoring and alerting tools may report download activity
When ongoing file activity is detected, Incydr temporarily streams files from your cloud storage or email service to the Incydr cloud to calculate the file hash. (Hash values are not calculated during the initial inventory process.) 

This appears in your vendor logs as users downloading files. The requesting service's IP address may point to Microsoft Azure hosts. Consider adding these IP addresses to your allowlist to reduce false alerts in your vendor logs, keeping in mind that these addresses can change. 

File contents are never stored or written to disk during this process.

A single file event in Forensic Search may represent more than one action in cloud storage
There's not always a strict one-to-one relationship between the actions a user takes on a file in your corporate cloud storage environment and the file event representing those actions in Incydr. After detecting activity, Incydr makes a best effort to interpret the user's actions on a file in cloud storage. Incydr may combine several of those actions into one file event to more efficiently and effectively display those details. For example, a user modifying a file repeatedly a few seconds apart in the cloud storage environment may appear as one "file modified" event in Forensic Search.

Throttling of API requests by the cloud storage vendor can also slow Incydr's metadata collection and affect how file events are displayed in Forensic Search. Both this throttling and Incydr's interpretation of actions can cause multiple actions in cloud storage to be displayed in fewer events in Forensic Search.

Before you begin

Before you authorize the Incydr connection to your Google Drive environment, follow the directions in Configure Google Drive for the Incydr data connection to properly set up your Google Drive environment to allow Incydr to collect data.

Authorize Incydr's connection to Google Drive

Step 1: Connect Incydr to Google Drive

  1. Sign in to the Incydr console.
  2. Add a cloud storage data connection:
    1. Select Administration > Integrations > Data Connections
    2. Click Add data connection.
      The Add data connection panel opens.
    3. From Data connection, select Google Drive under Cloud storage.Add Google Drive Data Connection
      Note the Client ID and OAuth scopes details that appear near the bottom of the panel. You enter this information into the Google Admin console later in this procedure.
    4. Enter a display name. This display name must be unique.
       

      1. Go to your Google Admin console and log in using your Google Workspace administrator username and password.

        Requires Super Admin role
        This email address must be associated with a Google Workspace administrator that has the Super Admin role.

      2. Go to Security > Access and data control > API controls. 
      3. At the bottom of the page in the Domain wide delegation panel, click Manage domain wide delegation.
        You may need to scroll to see the Domain wide delegation panel. Do not confuse the Manage domain wide delegation link in this panel with the Manage third-party app access link in the App access control panel. When you click Manage domain wide delegation, the Domain-wide delegation page displays.
      4. On the Domain-wide delegation page, click Add new next to API clients.
      5. In the Add a new client ID dialog box:
        • Copy the Client ID from the Incydr console and paste it in the Client ID field.
        • Copy the OAuth scopes from the Incydr console and paste it in the in the OAuth scopes (comma-delimited) field.Authorize the Incydr app in Google:
      6. Click Authorize.
        The Incydr cloud storage data connection is added to the API clients table.

Step 2: Add users

  1. Return to the Incydr console.
  2. In the Add data connection panel, select I've completed these steps under Complete these steps in Google Workspace and then click Continue.
    The Add Users panel appears.
    Add Google Drive users

  3. Select one of the following options:

    Monitoring of shared drives is dependent on in-scope users
    Incydr monitors a shared drive only when at least one of its members is also a monitored user. During the initial inventory process, Incydr scans the shared drives in your Google Drive environment to identify their members. Incydr then determines which of those members are also users that are monitored by the Incydr connection. (You identify the members that are in scope for Incydr monitoring when you authorize its connection to your Google Drive environment.) If no members of that shared drive are users that are monitored, Incydr does not monitor that shared drive.

Step 3: Verify the setup

  1. In the Add data connection dialog, click Continue.
    The Verify panel appears. 
    Verify the connection

  2. Enter the Google Workspace username that you used earlier to log in to the Google Admin console.

    Requires Super Admin role
    This email address must be associated with a Google Workspace administrator that has the Super Admin role.

  3. Click Authorize.
    Google Drive is added as a data connection, and Incydr begins the initial inventory process.

Step 4: Configure preventative controls

Background

  • Incydr preventative controls provide the option to block users from sharing files in Google Drive with external users. 
  • Because Google Drive sharing controls are managed via Google Groups, Incydr automatically creates a group called Incydr Prevention Controls (Managed by Code42) when you complete the authorization process above.
  • When you add or remove a user from an Incydr watchlist with the Cloud sharing preventative control enabled, they are automatically added or removed from the Incydr Prevention Controls (Managed by Code42) Google Group, which updates their sharing settings within Google Drive accordingly.
  • Incydr automatically creates the group and manages group membership. But you must follow the steps for either Option 1 or Option 2 below to manually update the group settings to ensure group members are blocked from sharing externally.

Google offers two ways to manage sharing permissions: general access sharing options and trust rules. Trust rules will eventually replace sharing options, but as of December 2023, both options are available.

Configure via Sharing Options

  1. Sign in to your Google Admin console with your Google Workspace administrator credentials.
  2. Go to Apps > Google Workspace > Drive and Docs.
  3. Go to Sharing setting > Groups.
  4. Search for "Incydr."
  5. Select Incydr Prevention Controls (Managed by Code42).
  6. In the Sharing Options section, click the edit icon, then:
    1. Set Sharing outside of <company name> to Off
    2. Set Distributing content outside of <company name> to Only users in <company name>
  7. Click Save.
    This configures the group so that members cannot share files with users outside your company.

If the Incydr Prevention Controls (Managed by Code42) group is deleted, it will automatically be recreated as long as your Google Drive data connection is still authorized. However, you will need to complete the steps in this section again to update the sharing settings for the group.

Next steps

Once you have added Google Drive as a data connection, learn more about:

Troubleshooting

Issues in your Google Drive environment can cause errors with the Incydr connection. When such issues occur, the Google Drive connection in the Data Connections table is highlighted in red and an error message is displayed at the top of the screen. When this occurs, click the Google Drive connection in the Data Connections table. The detail panel opens and lists the specific error so that you can resolve it.

Refer to these articles to troubleshoot specific errors that can appear for the Google Drive connection in the Data Connections list:

Other issues

Refer to the following articles:

External resources

Google documentation

Related topics

Was this article helpful?
0 out of 0 found this helpful

Comments

0 comments

Please sign in to leave a comment.