Enable endpoint monitoring for file exfiltration detection

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

CrashPlan for Small Business

Incydr, no.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to on-premises authority servers.

Other available versions:

Cloud

Overview

Endpoint monitoring uses the Code42 app to capture file activity on user devices in real time, helping you track user behavior to identify potential data leaks or security problems.

Code42's file exfiltration detection captures file activity anywhere on a user's device, not just within the user's backup file selection, related to removable media, cloud services, uploads and downloads via web browsers and other applications, and file restores. It also searches contents of files selected for backup for specified text patterns.

Videos

Watch the video below to learn how to enable file exfiltration detection.

Watch the video below for an overview of file exfiltration detection.

For more videos, visit the Code42 University.

Endpoint monitoring types

Enabling endpoint monitoring in your Code42 environment allows you to detect the following categories of potential file exfiltration activity:

Removable media: Monitors file activity on removable media, such as USB drives or SD cards.
Cloud service: Monitors file activity in folders on the device used for syncing with cloud services, including:
- Box
- Box Drive (Mac only, version 6.8.4 and later)
- Dropbox
- Google Backup and Sync (version 6.7.1 and later)
- Google Drive (version 6.5.2 and earlier; see permissions requirements)
- Apple iCloud
- Microsoft OneDrive
  - Version 7.0 and later: Code42 watches a personal OneDrive account and up to two OneDrive for Business accounts on each device.
  - Version 6.x: OneDrive for Business is not supported.
Application activity: Identifies files opened in apps commonly used for uploading and downloading files, such as a web browser, Slack, FTP client, or curl.
- Devices using Code42 app versions older than 7.0.0 only monitor activity in web browsers, and only on Windows devices. Version 7.0.0 expands upload and download detection to include Macs as well as other applications, such as Slack, FileZilla, FTP, and cURL.
- Code42 server version 8.2 and later label this Browser and other Application Activity. Versions 6.5 - 6.8 label this Browser activity. Version 6.0.x labels it File upload.
File restore: Monitors files restored through the Code42 app and the Code42 console, both by users and administrators (versions 7.0.5 and earlier).
Pattern matching: Checks for the existence of known malicious files or patterns of sensitive data based on YARA rules for text (non-binary) files included in the user's backup file selection (versions 7.0.5 and earlier).

Considerations

Code42 recommends only enabling endpoint monitoring in a small, test organization at first. If your Code42 environment contains more than 5,000 users, contact your Customer Success Manager (CSM) for assistance creating a deployment strategy.
In version 7.x and earlier, Linux devices are not supported. In version 8.2 and later, removable media detection is supported on Linux devices, but all other endpoint monitoring types listed above are Windows and Mac only.
If Compliance Settings are activated for an organization, you cannot enable endpoint monitoring for that organization or any of its child organizations that inherit settings. Parent and sibling organizations are not affected.

Google Drive permissions requirements
Windows devices may require administrator action to monitor activity in the Google Drive folder:

Code42 app version 6.5.1 and later: If the Code42 app is installed by a member of the administrator's group, no action is required. If the Code42 app is not installed by a member of administrator's group, you must grant read access to SYSTEM for the Google Drive folder on each device.
Code42 app version 6.5.0 and earlier: You must grant read access to SYSTEM for the Google Drive folder on each device because, by default, Google Drive grants read access to the logged-in user only, and the Code42 service runs as a system process.

See the Microsoft support site for how to add read access to a folder.

Before you begin

Ensure your Code42 environment meets the following requirements:
- You must have a product plan that includes file exfiltration detection.
- The Code42 app must be installed for all users. Per-user installations are not supported.
- User devices must be running a currently supported version of the Code42 app.
- Users' archives must use the Standard archive encryption key policy. Endpoint monitoring data cannot be collected for users with Archive key password or Custom key archive encryption.
Create a test organization, and then add a small number of test users to use in the steps below for initial endpoint monitoring testing. Alternatively, use the Change Organization command to move a small number of existing users into the test organization.

Enable endpoint monitoring for file exfiltration detection

Step 1: Lock archive encryption key settings

Endpoint monitoring requires standard encryption. Before implementing endpoint monitoring in any organization in your Code42 environment, you must lock the encryption setting to prevent users or administrators from changing it later.

Option A: Lock encryption settings for all organizations

Sign in to the Code42 console.
Go to Administration > Settings > Device Backup.
Select the Security tab.
In the Archive Encryption Key section:
1. Verify that Standard is selected.
2. Click the Lock icon to prevent users from changing this setting.
  A confirmation prompt is displayed.
3. Select inheritance options as desired for your Code42 environment.
4. Select I understand.
5. Click Ok.
Click Save.

Option B: Lock encryption settings for a specific organization

Sign in to the Code42 console.
Select Administration > Organizations > Active. (In versions 6.0.x, select Organizations.)
Select an organization.
From the action menu, click Device Backup Defaults.
In the General section, deselect Use device defaults from parent.
Select the Security tab.
In the Archive Encryption Key section:
1. Deselect Use default archive encryption key setting.
2. Verify that Standard is selected.
3. Click the Lock icon to prevent users from changing this setting.
4. Review the confirmation message and click OK.
Click Save.

Step 2: Enable endpoint monitoring for organizations

Start with a test organization
Code42 recommends enabling endpoint monitoring in a test organization first to ensure settings are properly configured to capture the user activity you want to monitor. Once you see the desired results with a small number of users, then start enableing endpoint monitoring one organization at a time.

Option A: Enable endpoint monitoring for a specific organization

To enable endpoint monitoring on devices in a specific organization:

Sign in to the Code42 console.
Select Administration > Organizations > Active. (In versions 6.0.x, select Organizations.)
Select an organization.
From the action menu, select Edit.
Select the Endpoint Monitoring tab.
Deselect Inherit settings from parent, if necessary.

Select one or more detection types to enable them.
Click Save to immediately apply your changes to all devices in this organization and all of its inheriting child organizations.

Option B: Enable endpoint monitoring for all organizations

In most cases, it is better to enable endpoint monitoring one organization at a time (option A above). We only recommend enabling endpoint monitoring for all organizations at once if you have already tested endpoint monitoring with a small number of users first, and you have less than 5,000 users in your Code42 environment. If your Code42 environment contains more than 5,000 users, contact your Customer Success Manager (CSM) for assistance creating a deployment strategy.

To enable endpoint monitoring on all devices in your Code42 environment:

Sign in to the Code42 console.
Go to Administration > Settings > Endpoint Monitoring.
Select one or more detection types to enable them.
Click Save to immediately apply your changes to all devices in your Code42 environment.

Optional configuration steps

Advanced settings
Steps 3 - 6 below are optional configuration settings, and are not required to start capturing file activity. If you want to configure any of these items to override the Code42 defaults, click the + icon next to each step for detailed instructions.

Step 3: Configure pattern matching

Versions 7.0.5 and earlier

In order to use the pattern matching method of endpoint monitoring, you must manually deploy a file to each device you want to monitor for patterns. This file identifies dangerous, malicious, or sensitive files included in the user's backup file selection with a rule-based framework called YARA.

Perform these steps on each device:

Create a folder named yr on the device in the Code42 app's cache directory.
Default cache directories on each operating system:
- Windows: C:\ProgramData\CrashPlan\cache
  To view this hidden folder, open a file browser and paste the path in the address bar. If you installed per user, see the file and folder hierarchy for file locations.
- Mac: /Library/Caches/CrashPlan
  If you installed per user, see the file and folder hierarchy.
- Linux: /usr/local/crashplan/cache
Create a YARA rule file using the instructions from the YARA project.
See below for an example YARA rule file.
Save the YARA rule with the name rules.yar to the yr folder.
Restart the Code42 service on the device.

Pattern matching considerations

You must manually deploy the YARA rule file to each device you want to monitor for patterns.
Unlike the other types of endpoint monitoring, pattern matching only monitors files included in the user's backup file selection.
The frequency of pattern matching scans is set by the Backup new version frequency setting. By default, this is every 15 minutes.
Pattern matching only monitors files that are created or modified after a YARA rule is added. Files existing before a YARA rule is added are not scanned for that rule until the file changes.
Pattern matching can scan for MD5 hash and filename matches on any file, but does not extract file contents of binary or compressed files. Practically speaking, this means pattern matching only searches the contents of plain text files, unless you create a rule targeting a specific binary string.
After adding a new YARA rule, you must restart the Code42 service on each device.

Sample YARA rule file

The example rule file below includes two rules. Each rule contains instructions for identifying a pattern of data on users' devices, including:

An MD5 hash for a specific file
Text strings formatted as Social Security numbers

import "hash"

rule md5Match
{
meta:
meta_tag = "MD5 example"

condition:
hash.md5(0, filesize) == "5b110441c6eead0d1943211d6a3e704c"
}

rule ssnMatch
{
meta:
meta_tag = "SSN example"

strings:
$re1 = /(\d{3})-(\d{2})-(\d{4})/

condition:
$re1
}

Step 4: Enable automatic file scanning of detected removable media

By default, endpoint monitoring does not automatically perform a file scan when a removable drive is detected. This prevents the collection of data on removable media that you may not want to monitor. However, you can enable this automatic file scanning if desired.

Call the Code42 API with the following curl command:
Copied!
```
curl -i -X PUT -H 'Content-Type: application/json' -d '{"packets": [{"key": "org-securityTools-device-detection-scan-enable","value": "true","locked": true}]}' -u '<username>:<password>' https://<server_address>:<port>/api/OrgSettings/<orgId>
```
Setting "locked" to true locks this setting so that it cannot be overridden at the user level.

Replace the following entries with the values of your authority server:
- Replace <username> and <password> with the administrator username and password.
- Replace <server_address>:<port> with the host and port of your authority server.
- Replace <orgId> with the organization ID. To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
To verify that scanning is enabled, use the following curl command to get all the settings for the organization:
Copied!
```
curl -i -X GET -u '<username>' https://<server_address>:<port>/api/OrgSettings/<OrgID>
```
When prompted, enter your password.
Search the output for the "org-securityTools-device-detection-scan-enable" key to verify that its value is set to "true".

Step 5: Exclude paths from monitoring

You can exclude paths of personal cloud services and removable media if you do not want to monitor them. This can reduce both the amount of unwanted monitoring data and the processing load on user devices.

Updates overwrite existing values
The Code42 API not does not automatically add to existing values, so before adding new exclusions, you must first obtain the list of any existing exclusions and then re-submit that list with your new additions.

View existing exclusions

Use the GET method to view existing exclusions. The OrgSettings resource also contains keys for numerous other Code42 settings. Therefore, to view only the monitoring exclusions, you must include the org_securityTools_detection_monitoring_exclusions key as a query parameter.

The example below assumes basic familiarity with curl commands. Use this as a template to create a command specific to your Code42 environment:

curl -X GET \
  '<server_address>:<port>/api/OrgSettings/<OrgID>?keys=org_securityTools_detection_monitoring_exclusions' \
  -H 'cache-control: no-cache' \
  -H 'content-type: application/json' \
  -u 'username'

Replace <server_address>:port> with the address of your Code42 environment. For example, https://authority-server.example.com:4285. Do not include the brackets in your request.
Replace <OrgID> with the numeric ID of the organization you want to update (do not include the brackets in your request). To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
Replace username with your Code42 username.
Execute the curl command in your command-line tool of choice. When prompted, enter your password.
The Code42 API returns the existing exclusions. If no exclusions exist yet, the data object in the response is empty.

Update or add exclusions

Call the Code42 API with the following curl command:
Copied!
```
curl -i -X PUT -H 'Content-Type: application/json' -d '{"packets":[{"key":"org_securityTools_detection_monitoring_exclusions","value":"{\"windows\":[\"<regEx1>\",\"<regEx2>\"],\"macintosh\":[\"<regEx>\",\"<regEx2>\"]}","locked":true}]}' -u '<username>' https://<server address>:<port>/api/OrgSettings/<orgId>
```
Setting the "locked" value to "true" locks this setting so that it cannot be overridden at the user level. If you do not want to use this setting for certain users, you may move the users to a separate child organization with its own setting.

Replace the following entries with the values of your authority server:
- Replace <regEx1> and <regEx2> with regular expressions for the paths to exclude. You may add as many expressions as you need to exclude multiple paths. Make sure to include any existing values identified above that you want to continue to exclude.
  - Note: File paths must use forward slashes ( / ) for path separators, even for Windows paths. For example: [\"C:/Users/Clyde/Temp(?:.*)*\"]. Using a backslash ( \ ) to escape characters in your regex value is not supported.
- Replace <username> and <password> with the administrator username and password.
- Replace <server_address>:<port> with the host and port of your authority server.
- Replace <orgId> with the organization ID. To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.

To verify that exclusions are set, use the following curl command:

curl -i -X GET -u '<username>' https://<server_address>:<port>/api/OrgSettings/<OrgID>?keys=org_securityTools_detection_monitoring_exclusions

When prompted, enter your password.

Verify the output values are set to the desired paths to exclude from monitoring.

Step 6: Enable automatic file scanning of cloud folders

Cloud folder user activity is always monitored
Cloud folder activity, as reported in Security Center and in Activity Notification emails to administrators, is not affected by this scan setting. When Cloud service monitoring is enabled, cloud folder activity (for example, moving new files into the cloud folder) is always monitored and reported.

In addition to watching file activity, endpoint monitoring can also optionally scan all contents of monitored cloud folders. These scan results provide a snapshot of all files in the folder at the time of the scan, and are only visible via the CSV export and the Code42 for Splunk (Legacy) app. Scan results are not reported in Security Center.

Beginning with Code42 server version 6.8.4, cloud folder scanning is off by default. Because some cloud services provide on-demand file streaming, user devices may contain a shortcut file for every file the user has access to throughout the organization. Disabling the scan reduces both the amount of unwanted monitoring data and the processing load on user devices. However, you can manually re-enable the cloud folder scans with the steps below.

Sign in to the Code42 console.
Double-click the Code42 logo in the upper-left to open the command-line interface (CLI).
Enter this command: setting.set ORG org-securityTools-cloud-detection-scan-enable true <orgId>
Replace <orgId> with the organization ID you want to monitor. To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.

Review file activity

Details of monitored exfiltration activity are available in both the Code42 console and in the Code42 for Splunk (Legacy) app.

Code42 console

Permissions for User Activity and Activity Notifications access
The SYSADMIN role includes User Activity and Activity Notifications access automatically. To grant access to a user with a different role, assign the Security Center User role to the user. The default local administrator with the SYSADMIN role can only view user activity for data stored in on-premises storage servers, but cannot view user activity for data stored in the Code42 cloud. To view Code42 cloud data, sign in as a different user with the necessary permissions.

Sign in to the Code42 console.
Navigate to User Activity.
- Version 8.2 and later: Select Investigation > User Activity.
- Version 7.x and earlier: Select Security Center > User Activity.
Enter a username.
Enter a date range.
Click Search.
Review the Activity Results.
For more details, select the action menu in the upper-right of any chart and select Export CSV. The exported file contains extensive details about the file activity.

Code42 for Splunk (Legacy) app

Install the Code42 for Splunk (Legacy) app to gain access to dashboards and other detailed information about file exfiltration activity in your Code42 environment.

For more information on Splunk, including their free trial that can be used with the Code42 for Splunk (Legacy) app, see Splunk's documentation.

Overview

Videos

Endpoint monitoring types

Considerations

Before you begin

Enable endpoint monitoring for file exfiltration detection

Step 1: Lock archive encryption key settings

Option A: Lock encryption settings for all organizations

Option B: Lock encryption settings for a specific organization

Step 2: Enable endpoint monitoring for organizations

Option A: Enable endpoint monitoring for a specific organization

Option B: Enable endpoint monitoring for all organizations

Optional configuration steps

Step 3: Configure pattern matching

Pattern matching considerations

Sample YARA rule file

Step 4: Enable automatic file scanning of detected removable media

Step 5: Exclude paths from monitoring

View existing exclusions

Update or add exclusions

Step 6: Enable automatic file scanning of cloud folders

Review file activity

Code42 console

Code42 for Splunk (Legacy) app

Related topics