User Activity and Activity Notifications reference
Who is this article for?
Incydr, no.
CrashPlan for Enterprise, no.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
Overview
This article describes how User Activity and Activity Notifications in the Code42 console can detect and analyze potential file exfiltration activity throughout your organization.
For details on the security events that can be detected and instructions on how to configure endpoint monitoring, see Endpoint Monitoring.
Access requirements
Endpoint monitoring must be enabled in your Code42 environment.
User activity
Search for user activity
To access the Security Center and begin a user search:
- Sign in to the Code42 console.
- Select Investigation > User Activity (version 8.2 and later) or Security Center > User Activity (versions 7.x and earlier).
Item | Description | |
---|---|---|
a | Username | Enter the username of the user to search. |
b | Dates | Specifies the start and end dates of the search query. Select Most Current to select the current date. The start and end dates must be no more than 62 days apart. |
c | Search | Submits the search and returns the activity results. |
User activity results
View summaries and charts for the following endpoint monitoring event types:
- Pattern Matching
- Cloud Folders
- Removable Media
- Files Restored
- Application Activity
Item | Description | |
---|---|---|
a | User Details | Lists details about the user, including the user's organization, number of devices, and if the user is included in an activity profile. |
b | Activity Profile | If the user is included in an activity profile, the profile name displays here. Click the name for menu options to view details of the profile or remove the user from the profile. If the user is not included in an activity profile, a link to Add to a Profile appears. |
c | Action menu | Displays the option to Export CSV, which downloads a CSV file containing line item details for the activities summarized in the search results. |
d | Dates | Specifies the start and end dates of the search query. Select different dates to update the results. The start and end dates must be no more than 62 days apart. |
e | Activity summary |
Indicates the number of files and total size of files for each event type. Each event type also includes a chart below with more details. Code42 server version 6.5 features updated column labels. Version 6.0.x labels appear as: Pattern Matching, Cloud Service, Removable Media, File Upload (Windows Only), File Restore |
f | Pattern Matching |
Number of patterns and matches defined by the YARA rule file on the user's device. |
g | Action menu | Displays the option to export a CSV file with line-item details of the activity summarized in the chart. |
h |
Cloud Folders (Code42 server version 6.5 and later) Cloud Service (Code42 server version 6.0.x) |
Number and size of files transferred to cloud services, including Box, Box Drive (Mac only, version 6.8.4 and later), Dropbox, Google Drive*, Google Backup and Sync, iCloud, and OneDrive.
*Google replaced Google Drive with Backup and Sync, but results for previous Google Drive activity still appear. |
i | Removable Media |
Number and size of files transferred to removable media, such as USB drives, external hard drives, memory cards, etc.
|
j | Files Restored1 |
Number and size of files restored from the Code42 app.
Applies only to Code42 environments where file restore detection was enabled in versions 7.x and earlier. (The setting to enable/disable the File Restore detection type was removed from the Code42 console in version 8.2.) |
k |
Application Activity
Browser Activity
File Upload (Code42 server version 6.0.x)1
Windows devices only |
Number and size of files uploaded or downloaded via web browsers and other applications (for example, when a user attaches a file to a web-based email or sends a file via FTP).
This may also include other instances of a browser accessing a file, such as opening a local file to view it in a web browser without actually uploading it.
Devices using Code42 app versions older than 7.0.0 only monitored activity in web browsers, and only on Windows devices. Version 7.0.0 expands upload and download detection to include Macs as well as other applications, such as Slack, FileZilla, FTP, and cURL.
Devices using Code42 app version 6.7.1 and later report upload and download activity separately. Older versions of the Code42 app do not differentiate between upload and download activity, so all browser activity is reported as "Open (undefined)."
|
1 For Code42 server versions 6.0.x, the location of charts labeled j and k is reversed.
Export CSV
When exporting results to a CSV file, you can select which data to include. The exported file contains extensive activity details, including timestamps and numerous user and device details.
Item | Description |
---|---|
Device Appeared | Includes detection of storage devices that are connected to the user's device. |
Device Disappeared | Includes detection of storage devices that are disconnected from the user's device. |
Device File Activity | Includes detection of file creation, modification, or deletion on connected devices. |
Device Scan Result | Includes scanning of files on connected devices for the following types of events:
|
Personal Cloud File Activity | Includes detection of file activity in a personal cloud. |
Personal Cloud Scan Result | Includes scanning of personal cloud drives. |
Restore Job | Includes detection of restore activity. |
Restore File | Includes detection of restored files. |
Application Activity (version 7.0 and later)
Browser Activity
File Upload |
Includes detection of files uploaded or downloaded via web browsers and other applications.
This may also include other instances of a browser accessing a file, such as opening a local file to view it in a web browser without actually uploading it. Devices using Code42 app versions older than 7.0.0 only monitored activity in web browsers, and only on Windows devices. |
Rule Match | Includes detection of files that trigger a pattern match using defined YARA rules. |
Cancel | Cancels the export. |
Export | Downloads the CSV file of the exported data. |
CSV export field descriptions
Activity notifications
With activity notifications, administrators can monitor file activity for specific high-risk users and receive an email notification when suspicious activity occurs. See Configuring Security Center Activity Profiles for additional information.
Activity profile list
To view the list of activity profiles, select Investigation > Activity Notifications (version 8.2 and later) or Security Center > Activity Notifications (versions 7.x and earlier).
Item | Description | |
---|---|---|
a | Create New Profile | Displays options to create a new activity profile. |
b | Report Name |
List of activity profile names. |
c | Date Modified | Indicates last date the profile was modified. |
d | Total Number of Users | Indicates number of users in the profile. |
e | Activity profile list | List of activity profiles. Select a row to view activity profile details. Select the checkbox next to the profile for the option to delete the profile. |
Activity profile details
To view details for an activity profile:
- Select Investigation > Activity Notifications (version 8.2 and later) or Security Center > Activity Notifications (versions 7.x and earlier).
- Click the row of the profile you want to view.
Item | Description | |
---|---|---|
a | Activity profile name | Indicates the profile name. |
b |
Profile details (version 6.5 and later)
Profile Details and Profile Thresholds (version 6.0.x) |
Details about the activity profile:
|
c | Action menu | Provides options to Edit This Profile and Delete This Profile. |
d | Add User | Displays the Add User screen. |
e | Select users | Click to select users for removal from the profile. |
f | Username | Name of the user. |
g | Organization | The user's organization. |
h | Added by | Username of the person who added this user to the activity profile. |
i | Added on | Date the user was added to the activity profile. |
j |
Status (version 6.5 and later) |
|
k |
Last file activity (version 8.2 and later)
Last activity profile check (versions 6.7.1 to 7.x)
Last notification date (version 6.5.2 and earlier) |
Most recent date and time any activity being monitored in this profile was detected, even if it did not exceed the threshold required to send a notification. If the user has never performed the activity being monitored in this profile (for example, never moved a single file to removable media), the field displays Never. |
l | Last security notification (version 6.7.1 and later) |
Most recent date and time security events were detected that exceeded the limits set in the activity profile. An email notification was also sent to the "Recipient" listed above at this time. If the user's activity has never exceeded the limits set in the activity profile, the field displays Never. |
Create new activity profile
To create a new activity profile:
- Select Investigation > Activity Notifications (version 8.2 and later) or Security Center > Activity Notifications (versions 7.x and earlier).
- Click Create New Profile.
Item | Description | |
---|---|---|
a | Profile name | The name of the activity profile, which appears in the list of profiles on the Activity Notifications screen. You can change the name at any time. |
b | Notification Recipient1 | The email address of the person to receive notifications when a user exceeds a file activity threshold. Email notifications are limited to a single address. |
c | Scan Frequency1 | The options range from 2 to 24 hours. The frequency determines how soon the email recipient is notified. For example, selecting Within 2 hours of detection generates an email if a user exceeds a file activity threshold within the previous two-hour period. |
d | Removable Media | Select Removable Media to monitor file-transfer activity to USB drives, external hard drives, memory cards, etc. |
e | Cloud Services | Select the cloud services you want to monitor for file-transfer activity. Activity profiles monitor the installed desktop apps for Box, Box Drive (Mac only, version 6.8.4 and later), Dropbox, Google Drive (version 6.5.x and earlier), Google Backup and Sync (version 6.7.1 and later), Apple iCloud, and Microsoft OneDrive. Activity profiles do not monitor file uploads and downloads. Code42 app version 6.5.2 and earlier: If a new cloud service is installed on a device, you must restart the Code42 service on each user device (or restart the entire device) to enable monitoring of that service. |
f | Total file size | Defines the total size of files in megabytes (MB) a user must move to trigger a notification. |
g | Ignore file size1 | Select to ignore file size and only monitor file count in this profile. You cannot exclude both file size and file count. |
h | Total file count | Defines the total number of files a user must move to generate a notification. |
i | Ignore file count1 | Select to ignore file count and only monitor file size in this profile. You cannot exclude both file size and file count. |
j | Cancel | Cancels creation of the new activity profile. |
k | Save | Creates the activity profile. |
1 Code42 server version 6.5 made small updates to these text labels. The functionality did not change.
Add user
To view the Add User screen:
- Select Investigation > Activity Notifications (version 8.2 and later) or Security Center > Activity Notifications (versions 7.x and earlier).
- Select a profile from the list.
- Select Add User.
Item | Description | |
---|---|---|
a | Enter username | Enter usernames to search your Code42 environment. |
b | User suggestions | When you start typing in the search box, suggestions appear. Click a username to add to the profile. |
c | Included users | Lists all users to be added to the profile. |
d | Remove user | Removes the user from the list of users to be included in the profile. |
e | Cancel | Exits the Add User screen without adding any new users. |
f | Add Users | Adds all selected users to the profile. |
Video
Watch the video below for an overview of file exfiltration detection. For more videos, visit the Code42 University.