Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Risk Exposure reference

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Overview

The Risk Exposure dashboard gives you an overview of the different file activity in your Code42 environment. This dashboard lets you know when unusual activity is happening, so you can investigate further in Forensic Search. 

For more information about these dashboards, see Review unusual file activity with the Risk Exposure dashboard.

Considerations

Differences in file event counts
File events for Forensic Search and Alerts appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Insider threat summaries

The insider threat information provided on the Risk Exposure dashboard shows you a summary of potential exposures that you may want to investigate from the Departing Employees and High Risk Employees lists, as well as information about your remote employees. 

High Risk Employees summary

To view, sign in to the administration console and select Detection > Risk Exposure

High Risk Employees tile on the Risk Exposure dashboard

This tile shows a summary of the information shown in the High Risk Employees list. Clicking either value brings you to the High Risk Employees list with those results shown. 

If you don't have any employees added to the High Risk Employees list, the values are zero.

Click View all to see all the employees that have been added to the list. Click Add to list to add an employee to the Departing Employees list.Click Add to list to add an employee to the High Risk Employees list. 

Departing Employees summary

To view, sign in to the administration console and select Detection > Risk Exposure

Departing Employees tile on the Risk Exposure dashboard

This tile shows a summary of the information shown in the Departing Employees list. Clicking any value brings you to the Departing Employees list with those results shown. 

If you don't have any employees added to the Departing Employees list, the values are zero.

Click View all to see all the employees that have been added to the list. Click Add to list to add an employee to the Departing Employees list.

Top file activity by remote employees

This tile shows the remote employees with the most file activity and potential exfiltration risk. It shows the total number of file events and the total size of the files involved in the events for that employee.

To view, sign in to the administration console and select Detection > Risk Exposure

Top 5 remote employees

Item Description
a Timeframe Displays file activity for the last 7 days or 1 day.
b Code42 username Click to see see the employee's User Profile.
c View profile View employee's user profile Click to see see the employee's User Profile.
d Forensic SearchInvestigate in Forensic Search Opens Forensic Search. Forensic Search is pre-populated with the selected timeframe and exposure type. Learn more about using Forensic Search.
e View top 20 Click to see an expanded list of the 20 employees with the most file activity. If you have fewer than 20 employees, all employees are shown.

Remote employee file activity

To view, sign in to the administration console and select Detection > Risk Exposure.

The remote employee view summarizes file activity of all of your remote employees. You can use it to:

  • Provide an organization-wide view of browser upload activity
  • Detect organization-wide usage of Dropbox, iCloud, Box, OneDrive and Google Drive
  • Offer historical user activity profiles to speed insider threat investigations
All employees are treated as remote employees
At this time, all employees are considered remote employees and are added automatically to the remote employees view. 

To learn more about how to manage your network traffic for employees that are working from home, see Manage Code42 network traffic for remote employees.

This tile shows you what types of files are being moved to what destinations for all remote employees.

File activity of remote employees

Item Description
a Timeframe Displays file activity for the last 7 days or 1 day.
b File events Shows the number of file events for the entire timeframe selected. File events can include events where a file was moved to removable media or cloud sync folders, or uploaded to a browser.
c Forensic Search Investigate in Forensic Search Opens Forensic Search. Forensic Search is pre-populated with the selected timeframe and exposure type. Learn more about using Forensic Search.
d By file category group

Shows the summary of file activity in the past 30 days for the following file categories:

  • Business Documents
    • PDF
    • Spreadsheets
    • Documents
    • Presentations
  • Zip Files
    Common archive file formats including compressed files.
  • Source Code
    Common source code formats.
  • Multimedia 
    • Image
    • Video
    • Audio
  • Other
    • Script
    • Virtual Disk Image
    • Executable
    • Uncategorized (files that did not fit any category)

For more information about file categories, see Forensic Search file categories.

e By destination - synced to cloud service Displays when a file exists in a folder on the device that is used for syncing with one of these cloud services:
  • Apple iCloud
  • Box
  • Box Drive
  • Dropbox
  • Google Backup and Sync
  • Google Drive
  • Microsoft OneDrive
f By destination - Browser or other app  Displays details about files opened in an app that is commonly used for uploading files, such as a web browser, Slack, FTP client, or curl.
g By destination - Removable media Displays when files have been moved to an external device such as a USB drive or hard drive.

Endpoint file activity

To view, sign in to the administration console and select Detection > Risk Exposure

Endpoint File Activity tile on the Risk Exposure dashboard

Item Description
a Timeframe Displays file activity for the last 90 days, 30 days, 7 days, or 1 day.
b File activity graph

Displays file activity for the selected file event type. 

c File event preview Displays a file event preview for a specific day when you hover over the graph. Click a point to see more file event details from that day and to optionally open those files in Forensic Search. Learn more about using Forensic Search.
d On Removable Media Displays when files have been moved to an external device such as a USB drive or hard drive. 
e Synced to Cloud Service Displays when a file exists in a folder on the device that is used for syncing with one of these cloud services:
  • Apple iCloud
  • Box
  • Box Drive
  • Dropbox
  • Google Backup and Sync
  • Google Drive
  • Microsoft OneDrive
f Read by Browser or Other App  Displays details about files opened in an app that is commonly used for uploading files, such as a web browser, Slack, FTP client, or curl.
g Zip Files Displays file events for common archive formats, including compressed files.
h Activity preview Displays a preview of the graph of file activity. 
i File Events Shows the number of file events for the entire timeframe selected. File events can include events where a file was moved to removable media or cloud sync folders, uploaded to a browser, or had cloud share permissions changed.
j Total File Size Displays total file size for all exposure events in the selected timeframe.
k Users

Click any value in this column to open the Users window to see more details about the file activity and to search by a particular user's activity in Forensic Search

l Forensic Search Investigate in Forensic Search Opens Forensic Search. Forensic Search is pre-populated with the selected timeframe and exposure type. Learn more about using Forensic Search.

Cloud file activity

To view, sign in to the administration console and select Detection > Risk Exposure
Visible only with licensing for one or more cloud service data sources

Cloud File Activity tile on the Risk Exposure dashboard

Item Description
a Timeframe Displays file activity for the last 90 days, 30 days, 7 days, or 1 day.
b File activity graph Displays file activity for the selected permission increase type and cloud service.
c File event preview Displays a file event preview for a specific day. Click a point to see more file event details and to optionally open those files in Forensic Search. Learn more about using Forensic Search.
d Public on the Web (Google Drive) Displays when files on your Google Drive are indexed by Google search and are available on the web. Only appears if you are licensed for the Google Drive data source.
e Public via Direct Link (Google Drive) Displays when files on your Google Drive are accessible to anyone with a link. Only appears if you are licensed for the Google Drive data source.
f Public via Direct Link (OneDrive) Displays when files on your OneDrive are accessible to anyone with a link. Only appears if you are licensed for the OneDrive data source.
g Public via Direct Link (Box) Displays when files on your Box account are accessible to anyone with a link. Only appears if you are licensed for the Box data source.
h Activity preview Displays a preview of the graph of file events.
i Permission Increases Displays the number of events where a user changed the permission of a file, folder, or drive from private to public. This applies to both public via a direct link or public on the web.
j Total File Size Displays total file size for all exposure events in the selected timeframe. Does not include Google file types such as Google Docs or Google Sheets.
k Users

Displays the number of users who interacted with the file within five minutes of when it was made public. This could include the user who changed the permissions or a user who interacted with the file shortly after the permission change. 

Click any value in this column to open the Users window to see more details about the file activity and to search by a particular user's activity in Forensic Search

l Forensic SearchInvestigate in Forensic Search Opens Forensic Search. Forensic Search is pre-populated with the selected timeframe and exposure type. Learn more about using Forensic Search.

 

File event details 

On the Risk Exposure dashboard, click a point on either graph to see more details about that file activity.

File event details from the Risk Exposure dashboard

Item Description
a File Activity summary Displays a summary of the file activity, including he timeframe of events, the total number of file events, the total size of the files, and the number of users involved in the activity.
b Investigate in Forensic SearchForensic Search  Opens Forensic Search. Forensic Search is pre-populated with the selected events. 
c User Displays the Code42 usernames of users involved with the file events.

Click any username to open their User Profile. (Only available from the Endpoint File Activity tile).
d File Events Shows the number of file events for each user in the timeframe selected. File events can include events where a file was moved to removable media or cloud sync folders, uploaded to a browser, or had cloud share permissions changed.
e Total Size of Files

Displays total file size for all exposure events in the selected timeframe.

 

For the Cloud Activity tile, this value does not include Google file types such as Google Docs or Google Sheets.

f Sync Destination

Synced to Cloud Service only)
Displays the cloud service the file was synced to. This only appears when viewing events on the Synced to Cloud Service graph.
g View profile View user profile

(Endpoint File Activity only) 
Opens the User Profile page for the user.
h Forensic Search Search in Forensic Search Click to see the search results for this user in Forensic Search.

Users

On the Risk Exposure dashboard in the Users column of either graph, click any value to see the file activity broken out by user. You can then see more file details for each user in Forensic Search.

User details on the Risk Exposure dashboard

Item Description
a Users

Displays the Code42 usernames of users involved with the file events. 

Click any username to open their User Profile. (Only available from the Endpoint File Activity tile).

b File Events Shows the number of file events for each user in the timeframe selected. File events can include events where a file was moved to removable media or cloud sync folders, uploaded to a browser, or had cloud share permissions changed.
c Total Size of Files Displays total file size for all exposure events in the selected timeframe. For the Cloud Activity tile, this value does not include Google file types such as Google Docs or Google Sheets.
d

Sync Destination
 

(Synced to Cloud Service only)

Displays the cloud service the file was synced to. This only appears when viewing events on the Synced to Cloud Service graph.
e View profile View user profile

(Endpoint File Activity only)
Opens the User Profile page for the user.
f Forensic Search Search in Forensic Search Click to see the search results for this user in Forensic Search.