User Activity and Activity Notifications reference

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

Code42 for Enterprise

CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to on-premises authority servers.

Other available versions:

Cloud

Overview

The Code42 Security Center allows you to search for users' security events detected by endpoint monitoring (also called file exfiltration detection). The report can help you identify and visualize potential data leaks. You can also export the results to a CSV file for analysis or archiving.

For details on the security events that can be detected, and instructions on how to configure endpoint monitoring, see Endpoint Monitoring.

Security Center requirements

In order to use the Security Center:

Endpoint monitoring must be enabled in your Code42 environment.
Enabling endpoint monitoring requires a Security Tools license.

Permissions for Security Center access
The SYSADMIN role includes Security Center access automatically. To grant Security Center access to a user with a different role, assign the Security Center User role to the user. The default local administrator with the SYSADMIN role can only view user activity in the Security Center for data stored in on-premises storage servers, but cannot view user activity for data stored in the Code42 cloud. To view Code42 cloud data, sign in as a different user with the necessary permissions.

User activity

Search for user activity

To access the Security Center and begin a user search:

Sign in to the Code42 console.
Select Security Center > User Activity.

Security Center user search

Item		Description
a	Username	Enter the username of the user to search.
b	Dates	Specifies the start and end dates of the search query. Select Most Current to select the current date. The start and end dates must be no more than 62 days apart.
c	Search	Submits the search and returns the activity results.

User activity results

View summaries and charts for the following endpoint monitoring event types:

Pattern Matching
Cloud Folders
Removable Media
Files Restored
Application Activity

Security Center activity results

Item		Description
a	User Details	Lists details about the user, including the user's organization, number of devices, and if the user is included in an activity profile.
b	Activity Profile	If the user is included in an activity profile, the profile name displays here. Click the name for menu options to view details of the profile or remove the user from the profile. If the user is not included in an activity profile, a link to Add to a Profile appears.
c	Action menu	Displays the option to Export CSV, which downloads a CSV file containing line item details for the activities summarized in the search results.
d	Dates	Specifies the start and end dates of the search query. Select different dates to update the results. The start and end dates must be no more than 62 days apart.
e	Activity summary	Indicates the number of files and total size of files for each event type. Each event type also includes a chart below with more details. Code42 server version 6.5 features updated column labels. Version 6.0.x labels appear as: Pattern Matching, Cloud Service, Removable Media, File Upload (Windows Only), File Restore
f	Pattern Matching	Number of patterns and matches defined by the YARA rule file on the user's device.
g	Action menu	Displays the option to export a CSV file with line-item details of the activity summarized in the chart.
h	Cloud Folders (Code42 server version 6.5 and later) Cloud Service (Code42 server version 6.0.x)	Number and size of files transferred to cloud services, including Box, Box Drive (Mac only, version 6.8.4 and later), Dropbox, Google Drive, Google Backup and Sync, iCloud, and OneDrive. Blue indicates added files Green indicates modified files Google replaced Google Drive with Backup and Sync, but results for previous Google Drive activity still appear.
i	Removable Media	Number and size of files transferred to removable media, such as USB drives, external hard drives, memory cards, etc. Blue indicates added files Green indicates modified files
j	Files Restored¹	Number and size of files restored from the Code42 app.
k	Application Activity (Code42 server version 7.0 and later) Browser Activity (Code42 server version 6.5 - 6.8) File Upload (Code42 server version 6.0.x)¹ Windows devices only	Number and size of files uploaded or downloaded via web browsers and other applications (for example, when a user attaches a file to a web-based email or sends a file via FTP). This may also include other instances of a browser accessing a file, such as opening a local file to view it in a web browser without actually uploading it. Devices using Code42 app versions older than 7.0.0 only monitored activity in web browsers, and only on Windows devices. Version 7.0.0 expands upload and download detection to include Macs as well as other applications, such as Slack, FileZilla, FTP, and cURL. Devices using Code42 app version 6.7.1 and later report upload and download activity separately. Older versions of the Code42 app do not differentiate between upload and download activity, so all browser activity is reported as "Open (undefined)."

¹ For Code42 server versions 6.0.x, the location of charts labeled j and k is reversed.

Export CSV

When exporting results to a CSV file, you can select which data to include. The exported file contains extensive activity details, including timestamps and numerous user and device details.

Export CSV

Item	Description
Device Appeared	Includes detection of storage devices that are connected to the user's device.
Device Disappeared	Includes detection of storage devices that are disconnected from the user's device.
Device File Activity	Includes detection of file creation, modification, or deletion on connected devices.
Device Scan Result	Includes scanning of files on connected devices for the following types of events: Files moved to removable media devices Files created on removable media devices Files modified on removable media devices
Personal Cloud File Activity	Includes detection of file activity in a personal cloud.
Personal Cloud Scan Result	Includes scanning of personal cloud drives.
Restore Job	Includes detection of restore activity.
Restore File	Includes detection of restored files.
Application Activity (version 7.0 and later) Browser Activity (version 6.5 - 6.8) File Upload (versions 6.0.x)	Includes detection of files uploaded or downloaded via web browsers and other applications. This may also include other instances of a browser accessing a file, such as opening a local file to view it in a web browser without actually uploading it. *Devices using Code42 app versions older than 7.0.0 only monitored activity in web browsers, and only on Windows devices.*
Rule Match	Includes detection of files that trigger a pattern match using defined YARA rules.
Cancel	Cancels the export.
Export	Downloads the CSV file of the exported data.

CSV export field descriptions

All event timestamps are based on the time and date provided by the user's device, which are then converted to Unix epoch time or Coordinated Universal Time (UTC).
No single event contains values for every column. The CSV export includes columns for all possible event types, so individual events report null for items that don't apply.

Preserve data types and number formats
In some spreadsheet applications, including Microsoft Excel, opening the CSV file may default to displaying long numbers in scientific notation format (for example, 6.60805E+17). See Import CSV reports to Microsoft Excel for steps to correct this formatting.

Field	Description
eventType	Indicates the type of detection event. DEVICE_APPEARED: Removable media connected to the user's device. DEVICE_DISAPPEARED: Removable media disconnected from the user's device. DEVICE_SCAN_RESULT: If removable media scanning is enabled, an event is created for each file on the removable media each time it is connected. (Removable media scanning is off by default.) These events provide a snapshot of the files on the drive at the time it was connected. PERSONAL_CLOUD_SCAN_RESULT: If cloud folder scanning is enabled, an event is created for each file in the cloud folder stored locally on the user's device. (Cloud folder scanning is off by default.) These events provide a snapshot of the files in the cloud folder at the time of the scan. DEVICE_FILE_ACTIVITY: Describes the type of file activity on removable media. Possible values are Create, Modify, and Delete. PERSONAL_CLOUD_FILE_ACTIVITY: Describes the type of file activity in folders stored locally on the user's device used for syncing with cloud services. Possible values are Create, Modify, and Delete. RESTORE_JOB: Indicates the beginning or end of a restore event. For example, if a user restores three files, there will be five rows in the CSV: the starting RESTORE_JOB event, three RESTORE_FILE events, and the ending RESTORE_JOB event. RESTORE_FILE: Indicates the file was restored from the backup archive. FILE_OPENED: Indicates a file was opened in an app commonly used for uploading and downloading files, such as a web browser, Slack, FTP client, or curl. RULE_MATCH: Indicates a file matches one of the patterns in your pre-defined YARA rules.
timestamp	Unix epoch timestamp when the event was processed. In most cases, this is the time the event was sent to the Code42 cloud, but if a network connection is unavailable or something else prevents the device from sending the event, this time represents the first attempt to send the event. This time may differ slightly from the detectionTimestamp (see below), which indicates when the user's device initially observed the event.
formattedTimestamp	Coordinated Universal Time (UTC) timestamp of when the event was processed. In most cases, this is the time the event was sent to the Code42 cloud, but if a network connection is unavailable or something else prevents the device from sending the event, this time represents the first attempt to send the event. This time may differ slightly from the formattedDetectionTimestamp (see below), which indicates when the user's device initially observed the event.
deviceGuid	Code42's Globally Unique Identifier (GUID) of the device which recorded the event.
userUid	Code42's unique identifier of the user who owns the device which recorded the event.
deviceAddress	Internal IP address and port of the device which recorded the event at the time the event was recorded.
deviceRemoteAddress	External IP address and port of the device which recorded the event at the time the event was recorded.
version	The Code42 internal version number of the data structure used for this CSV file. In most cases, this is of limited use, but newer versions may include additional columns.
totalNum	The total number of files recorded in this event.
totalBytes	The total size of all files recorded in this event in bytes.
addedNum	The number of added files recorded in this event.
addedBytes	The total size of all added files in bytes.
modifiedNum	The number of modified files recorded in this event.
modifiedBytes	The total size of all modified files in bytes.
deletedNum	The number of deleted files recorded in this event.
deletedBytes	The total size of all deleted files in bytes.
downloadedNum	The number of downloaded files recorded in this event.
downloadedBytes	The total size of all downloaded files in bytes.
uploadedNum	The number of uploaded files recorded in this event.
uploadedBytes	The total size of all uploaded files in bytes.
openedNum	The combined number of files uploaded and downloaded in this event. Only included for FILE_OPENED events captured on devices using Code42 app version 6.7.0 and earlier. Devices using Code42 app version 6.7.1 and later report upload and download activity separately in the `uploadedNum` and `downloadedNum` fields.
openedBytes	The file size in bytes for files uploaded and downloaded in this event. Only included for FILE_OPENED events captured on devices using Code42 app version 6.7.0 and earlier. Devices using Code42 app version 6.7.1 and later report upload and download activity separately in the `uploadedBytes` and `downloadedBytes` fields.
busType	The type of connection that attaches this device to the computer. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT.
vendorName	The name of the vendor of this device. This value is not provided for all devices, so may be `null` in some cases. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT events.
deviceName	The name of the device. This value is not provided by all devices, so may be `null` in some cases. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT events.
serialNumber	The serial number of the connected hardware, as reported by the device's operating system. This value is not provided by all devices, so it may be `null` in some cases. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT.
capacity	The total capacity of the device in bytes. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT events.
productName	The name of the cloud service associated with the event (for example, Box, Google Drive, etc.). Included for PERSONAL_CLOUD_FILE_ACTIVITY and PERSONAL_CLOUD_SCAN_RESULT events.
dataLocation	The local file path on the user's device of the cloud sync folder (for example, C:\Users\Clyde\Documents\Dropbox). Included for PERSONAL_CLOUD_FILE_ACTIVITY and PERSONAL_CLOUD_SCAN_RESULT events.
processName	The name of the process that triggered this event. Included for FILE_OPENED events.
processOwner	The username of the process owner. Included for FILE_OPENED events.
ruleName	The name of the rule that triggered the event. Included for RULE_MATCH events.
restoreId	Code42's unique identifier of the restore job. Included for RESTORE_JOB and RESTORE_FILE events. Use this ID to identify groups of files restored at the same time.
restoreType	Type of the restore. Included for RESTORE_JOB events. Possible values: PUSH: Restore was initiated from the administration console and files were restored via the Code42 app on the target device. CLIENT: Restore was initiated from the Code42 app on the device and files were restored to that device. WEB: Restore was initiated from the administration console and files were restored via .zip file download.
status	Status of the restore. Included for RESTORE_JOB events. Possible values: CANCELED: Used to identify a RESTORE_JOB that stopped before completion. COMPLETED: Used to identify the RESTORE_JOB record at the end of the restore session. STARTED: Used to identify the RESTORE_JOB record at the beginning of the restore session.
requestingUserId	Code42's unique identifier of the user who initiated the file restore. Included for RESTORE_JOB events.
sourceGuid	Code42's Globally Unique Identifier (GUID) of the device that originally backed up the files being restored. Included for RESTORE_JOB events.
targetGuid	Code42's Globally Unique Identifier (GUID) of the device to which files are being restored. Included for RESTORE_JOB events.
nodeGuid	Code42's Globally Unique Identifier (GUID) of the storage destination containing the files being restored. Included for RESTORE_JOB events.
completedDate	Unix epoch timestamp of when the restore job completed successfully. Included for RESTORE_JOB events.
formattedCompletedDate	Coordinated Universal Time (UTC) timestamp of when the restore job completed successfully. Included for RESTORE_JOB events.
startDate	Unix epoch timestamp of when the restore job started. Included for RESTORE_JOB events.
formattedStartDate	Coordinated Universal Time (UTC) timestamp of when the restore job started. Included for RESTORE_JOB events.
totalBytes	The total number of bytes restored. Included for RESTORE_JOB events.
totalFiles	The total number of files restored. Included for RESTORE_JOB events.
problemCount	The number of problems found when restoring. Included for RESTORE_JOB events.
failedChecksumCount	The number of failed checksums found when restoring. Included for RESTORE_JOB events.
fileName	The name of the file.
fullPath	The full path of the file, including the filename. The path separators are determined by the operating system on the device that generated the event. For example, "/" on Mac and "\" on Windows.
fileEventType	The type of event that occurred to this file. Possible values: CREATE: Indicates the file was created. Applies to DEVICE_FILE_ACTIVITY and PERSONAL_CLOUD_FILE_ACTIVITY events. DELETE: Indicates the file was deleted. Applies to DEVICE_FILE_ACTIVITY and PERSONAL_CLOUD_FILE_ACTIVITY events. MODIFY: Indicates the file was modified. Applies to DEVICE_FILE_ACTIVITY and PERSONAL_CLOUD_FILE_ACTIVITY events. SCAN: Indicates the file was identified during a removable media scan or cloud folder scan. Applies to DEVICE_SCAN_RESULT and PERSONAL_CLOUD_SCAN_RESULT events. OPEN: Indicates a file was opened by a web browser. Applies to FILE_OPENED events captured on devices using Code42 app version 6.7.0 and earlier. Devices using Code42 app version 6.7.1 and later report upload and download activity separately as either fileEventType DOWNLOAD and UPLOAD. DOWNLOAD: Indicates the file was downloaded by an app commonly used for transferring files, such as a web browser, Slack, FTP client, or curl. Applies to FILE_OPENED events. UPLOAD: Indicates the file was uploaded by an app commonly used for transferring files, such as a web browser, Slack, FTP client, or curl. Applies to FILE_OPENED events. RESTORE: Indicates the file was restored. Applies to RESTORE_FILE events. RULE_MATCH: Indicates the file matches a pre-defined YARA rule. Applies to RULE_MATCH events.
fileType	Indicates the type of file observed in this event. The most common values are: FILE: Indicates the event applies to a file DIR: Indicates the event applies to a directory SYSMLINK: Indicates the event applies to symlink (also called a symoblic link or soft link) Under very rare circumstances, it may also be possible to see the following values: UNKNOWN, WIN_NDS (named data stream), MAC_RSRC (Mac resource fork), FIFO (a named pipe), BLOCK_DEVICE, CHAR_DEVICE,SOCKET, BUNDLE
length	Size in bytes of the file.
lastModified	Unix epoch timestamp of when the file was last modified. This timestamp is updated when either file metadata or file contents change. In Linux filesystems, this is also know as the `cTime`.
formattedLastModified	Coordinated Universal Time (UTC) timestamp of when the file was last modified. This timestamp is updated when either file metadata or file contents change. In Linux filesystems, this is also know as the `cTime`.
md5	The MD5 hash of the file.
sha256	The SHA256 hash of the file.
mimeType	The file's MIME type, based on both file extension and file content.
detectionTimestamp	Unix epoch timestamp of when the file activity was detected. This timestamp most closely aligns with the time the file event actually occurred on the device.
formattedDetectionTimestamp	Coordinated Universal Time (UTC) timestamp of when the file activity occurred. This timestamp most closely aligns with the time the file event actually occurred on the device.
contentChangeTimestamp	Unix epoch timestamp when content of the file was last changed. In Linux filesystems, this is also know as the `mTime`. This may be different from the `lastModified` timestamp, which is also updated when only file metadata changes.
formattedContentChangeTimestamp	Coordinated Universal Time (UTC) timestamp of when content of the file was last changed. In Linux filesystems, this is also know as the `mTime`. This may be different from the `lastModified` timestamp, which is also updated when only file metadata changes.
createTimestamp	Unix epoch timestamp of when the file was created.
formattedCreateTimestamp	Coordinated Universal Time (UTC) timestamp of when the file was created.
fileOwnerUsername	The name of the user who owns the file, as reported by the device's operating system.
restoreSuccessful	Indicates if a file was restored successfully. Only applies to RESTORE_FILE events. TRUE = File restore was successful FALSE = File restore was unsuccessful

Activity notifications

With activity notifications, administrators can monitor file activity for specific high-risk users and receive an email notification when suspicious activity occurs. See Configuring Security Center Activity Profiles for additional information.

Activity profile list

To view the list of activity profiles, select Security Center > Activity Notifications.

Activity Notifications profile list

Item		Description
a	Create New Profile	Displays options to create a new activity profile.
b	Report Name	List of activity profile names.
c	Date Modified	Indicates last date the profile was modified.
d	Total Number of Users	Indicates number of users in the profile.
e	Activity profile list	List of activity profiles. Select a row to view activity profile details. Select the checkbox next to the profile for the option to delete the profile.

Activity profile details

To view details for an activity profile, go to Security Center > Activity Notifications and click the row of the profile you want to view.

Activity profile details

Item		Description
a	Activity profile name	Indicates the profile name.
b	Profile details (version 6.5 and later) Profile Details and Profile Thresholds (version 6.0.x)	Details about the activity profile: Last modified: Date the profile was last modified. Modified by: Username of the person to last modify the profile. Number of users: Total number of users being monitored by the profile. Created on: Date the profile was initially created. Created by: Username of the person who created the profile. Recipient: Email address of the person who receives notifications when a user in the profile exceeds an activity threshold. Scan frequency: Determines how soon the email recipient is notified. (Version 6.5 and later) Total file size: The total size of files in megabytes (MB) a user must move to generate a notification. Number of files: The total number of files a user must move to generate a notification. File locations: Lists which file activities (removable media and cloud services file transfers) are being monitored by the profile.
c	Action menu	Provides options to Edit This Profile and Delete This Profile.
d	Add User	Displays the Add User screen.
e	Select users	Click to select users for removal from the profile.
f	Username	Name of the user.
g	Organization	The user's organization.
h	Added by	Username of the person who added this user to the activity profile.
i	Added on	Date the user was added to the activity profile.
j	Status (version 6.5 and later)	Active: The user's endpoint is being monitored. Conflict: The user's endpoint is not being monitored, most likely because of conflicting configuration of the organization and activity profile.
k	Last activity profile check (version 6.7.1 and later) Last notification date (version 6.5.2 and earlier)	Most recent date and time any activity being monitored in this profile was detected, even if it did not exceed the threshold required to send a notification. If the user has never performed the activity being monitored in this profile (for example, never moved a single file to removable media), the field displays Never.
l	Last security notification (version 6.7.1 and later)	Most recent date and time security events were detected that exceeded the limits set in the activity profile. An email notification was also sent to the "Recipient" listed above at this time. If the user's activity has never exceeded the limits set in the activity profile, the field displays Never.

Create new activity profile

To create a new activity profile, go to Security Center > Activity Notifications and click Create New Profile.

Create new activity profile

Item		Description
a	Profile name	The name of the activity profile, which appears in the list of profiles on the Activity Notifications screen. You can change the name at any time.
b	Notification Recipient¹	The email address of the person to receive notifications when a user exceeds a file activity threshold. Email notifications are limited to a single address.
c	Scan Frequency¹	The options range from 2 to 24 hours. The frequency determines how soon the email recipient is notified. For example, selecting Within 2 hours of detection generates an email if a user exceeds a file activity threshold within the previous two-hour period.
d	Removable Media	Select Removable Media to monitor file-transfer activity to USB drives, external hard drives, memory cards, etc.
e	Cloud Services	Select the cloud services you want to monitor for file-transfer activity. Activity profiles monitor the installed desktop apps for Box, Box Drive (Mac only, version 6.8.4 and later), Dropbox, Google Drive (version 6.5.x and earlier), Google Backup and Sync (version 6.7.1 and later), Apple iCloud, and Microsoft OneDrive. Activity profiles do not monitor file uploads and downloads. Code42 app version 6.5.2 and earlier: If a new cloud service is installed on a device, you must restart the Code42 service on each user device (or restart the entire device) to enable monitoring of that service.
f	Total file size	Defines the total size of files in megabytes (MB) a user must move to trigger a notification.
g	Ignore file size¹	Select to ignore file size and only monitor file count in this profile. You cannot exclude both file size and file count.
h	Total file count	Defines the total number of files a user must move to generate a notification.
i	Ignore file count¹	Select to ignore file count and only monitor file size in this profile. You cannot exclude both file size and file count.
j	Cancel	Cancels creation of the new activity profile.
k	Save	Creates the activity profile.

¹ Code42 server version 6.5 made small updates to these text labels. The functionality did not change.

Add user

To view the Add User screen:

Select Security Center > Activity Notifications.
Select a profile from the list.
Select Add User.

Add user

Item		Description
a	Enter username	Enter usernames to search your Code42 environment.
b	User suggestions	When you start typing in the search box, suggestions appear. Click a username to add to the profile.
c	Included users	Lists all users to be added to the profile.
d	Remove user	Removes the user from the list of users to be included in the profile.
e	Cancel	Exits the Add User screen without adding any new users.
f	Add Users	Adds all selected users to the profile.

Video

Watch the video below for an overview of file exfiltration detection. For more videos, visit the Code42 University.

Overview

Security Center requirements

User activity

Search for user activity

User activity results

Export CSV

CSV export field descriptions

Activity notifications

Activity profile list

Activity profile details

Create new activity profile

Add user

Video

Related topics