Skip to main content

This article applies to Cloud.

Other available versions:

Version 6 | Version 5icon.qnmark.png

Available in:

StandardPremiumEnterprise
Small Business
Code42 Support

Security Center reference

This article applies to Cloud.

Other available versions:

Version 6 | Version 5icon.qnmark.png

Available in:

StandardPremiumEnterprise
Small Business

Overview

The Code42 Security Center allows you to search for users' security events detected by endpoint monitoring (also called file exfiltration detection). The report can help you identify and visualize potential data leaks. You can also export the results to a CSV file for analysis or archiving.

For details on the security events that can be detected, and instructions on how to configure endpoint monitoring, see Endpoint Monitoring.

Security Center requirements

In order to use the Security Center:

Permissions for Security Center access
The Customer Cloud Admin role includes Security Center access automatically. To grant Security Center access to a user with a different role, assign the Security Center User role to the user.  

If you recently added Security Tools to your product plan but you can’t access the Security Center, go to My Profile to ensure you have the required permissions. Contact our Customer Champions for Code42 for Enterprise support if you do not have the necessary role or permissions.

User Activity

Search for user activity

To access the Security Center and begin a user search:

  1. Sign in to the administration console.
  2. Select Security Center > User Activity.

Security Center user search

Item Description
a Username Enter the username of the user to search.
b Dates Specifies the start and end dates of the search query. Select Most Current to select the current date. The start and end dates must be no more than 62 days apart.
c Search Submits the search and returns the activity results.

User activity results

View summaries and charts for the following endpoint monitoring event types:

  • Pattern Matching
  • Cloud Folders
  • Removable Media
  • Files Restored
  • Browser Activity (Windows Only)


User activity results

 

Item Description
a User Details Lists details about the user, including the user's organization, number of devices, and if the user is included in an activity profile.
b Activity Profile If the user is included in an activity profile, the profile name displays here. Click the name for menu options to view details of the profile or remove the user from the profile. If the user is not included in an activity profile, a link to Add to a Profile appears.
c Action menu Displays the option to Export CSV, which downloads a CSV file containing line item details for the activities summarized in the search results.
d Dates Specifies the start and end dates of the search query. Select different dates to update the results. The start and end dates must be no more than 62 days apart.
e Activity summary Indicates the number of files and total size of files for each event type. Each event type also includes a chart below with more details.
f Pattern Matching Number of patterns and matches defined by the YARA rule file on the user's device.
g Action menu Displays the option to export a CSV file with line-item details of the activity summarized in the chart.
h Cloud Folders

Number and size of files transferred to cloud services, including Box, Box Drive (Mac only), Dropbox, Google Drive*, Google Backup and Sync, iCloud, and OneDrive.

  • Blue indicates added files
  • Green indicates modified files

*Google replaced Google Drive with Backup and Sync, but results for previous Google Drive activity still appear.

i Removable Media

Number and size of files transferred to removable media, such as USB drives, external hard drives, memory cards, etc.

  • Blue indicates added files
  • Green indicates modified files
j Files Restored Number and size of files restored from the Code42 app.
k Browser Activity
(Windows Only)
Number and size of files uploaded or downloaded via web browsers, such as when a user attaches a file to a web-based email.
Windows devices only

Devices using Code42 app version 6.7.1 and later report upload and download activity separately. Older versions of the Code42 app do not differentiate between upload and download activity, so all browser activity is reported as "Open (undefined)."
Google Drive File Stream activity not detected by endpoint monitoring
Google's Drive File Stream retrieves files by mounting a temporary internal drive partition on the user's device and streaming files to the temporary drive. The Code42 app only monitors file movement to external drives, so it does not detect this activity.

Export CSV

When exporting results to a CSV file, you can select which data to include. The exported file contains extensive activity details, including timestamps and numerous user and device details.

Export CSV

Item Description
Device Appeared Includes detection of storage devices that are connected to the user's device.
Device Disappeared Includes detection of storage devices that are disconnected from the user's device.
Device File Activity Includes detection of file creation, modification, or deletion on connected devices.
Device Scan Result Includes scanning of files on connected devices for the following types of events:
  • Files moved to removable media devices
  • Files created on removable media devices
  • Files modified on removable media devices
Personal Cloud File Activity Includes detection of file activity in a personal cloud.
Personal Cloud Scan Result Includes scanning of personal cloud drives.
Restore Job Includes detection of restore activity.
Restore File Includes detection of restored files.

Browser Activity
(Windows only)

Includes detection of files opened for web upload or download.
Windows devices only
Rule Match Includes detection of files that trigger a pattern match using defined YARA rules.
Cancel Cancels the export.
Export Downloads the CSV file of the exported data.

Activity Notifications

With activity notifications, administrators can monitor file activity for specific high-risk users and receive an email notification when suspicious activity occurs. See Configuring Security Center Activity Profiles for additional information.

Activity profile list

To view the list of activity profiles, select Security Center > Activity Notifications.

Activity Notifications profile list

Item Description
a Create New Profile Displays options to create a new activity profile.
b Report Name

List of activity profile names.

c Date Modified Indicates last date the profile was modified.
d Total Number of Users Indicates number of users in the profile.
e Activity profile list List of activity profiles. Select a row to view activity profile details. Select the checkbox next to the profile for the option to delete the profile.

 

Activity profile details

To view details for an activity profile, go to Security Center > Activity Notifications and click the row of the profile you want to view.

Activity profile details

Item Description
a Activity profile name Indicates the profile name.
b Profile details

Includes details about the activity profile:

  • Last modified: Date the profile was last modified.
  • Modified by: Username of the person to last modify the profile.
  • Number of users: Total number of users being monitored by the profile.
  • Created on: Date the profile was initially created.
  • Created by: Username of the person who created the profile.
  • Recipient: Email address of the person who receives notifications when a user in the profile exceeds an activity threshold.
  • Scan frequency: Determines how soon the email recipient is notified. 
  • Total file size: The total size of files in megabytes (MB) a user must move to generate a notification.
  • Number of files: The total number of files a user must move to generate a notification.
  • File locations: Lists which file activities (removable media and cloud services file transfers) are being monitored by the profile.
c Action menu Provides options to Edit This Profile and Delete This Profile.
d Add User Displays the Add User screen.
e Select users Click to select users for removal from the profile.
f Username Name of the user.
g Organization The user's organization.
h Added by Username of the person who added this user to the activity profile.
i Added on Date the user was added to the activity profile.
j Status
  • Active: The user's endpoint is being monitored.
  • Conflict: The user's endpoint is not being monitored, most likely because of conflicting configuration of the organization and activity profile.
k Last activity profile check

Most recent date and time the user's activity was evaluated for exceeding the limits set in the activity profile.

 

l Last security notification Most recent date and time security events were detected that exceeded the limits set in the activity profile. An email notification was also sent to the "Recipient" listed above at this time. If the user's activity has never exceeded the limits set in the activity profile, the field displays Never.

Create New Activity Profile

To create a new activity profile, go to Security Center > Activity Notifications and click Create New Profile.

Create New Activity Profile

Item Description
a Profile name The name of the activity profile, which appears in the list of profiles on the Activity Notifications screen. You can change the name at any time.
b Notification Recipient The email address of the person to receive notifications when a user exceeds a file activity threshold. Email notifications are limited to a single address.
c Scan Frequency The options range from 2 to 24 hours. The frequency determines how soon the email recipient is notified. For example, selecting Within 2 hours of detection generates an email if a user exceeds a file activity threshold within the previous two-hour period.
d Removable Media Select Removable Media to monitor file-transfer activity to USB drives, external hard drives, memory cards, etc.
e Cloud Services Select the cloud services you want to monitor for file-transfer activity. Activity profiles monitor the installed desktop apps for Box, Box Drive (Mac only), Dropbox, Google Backup and Sync, Apple iCloud, and Microsoft OneDrive. Activity profiles do not monitor files uploaded in web browsers.
f Total file size Defines the total size of files in megabytes (MB) a user must move to trigger a notification.
g Ignore file size Select to ignore file size and only monitor file count in this profile. You cannot exclude both file size and file count.
h Total file count Defines the total number of files a user must move to generate a notification.
i Ignore file count Select to ignore file count and only monitor file size in this profile. You cannot exclude both file size and file count.
j Cancel Cancels creation of the new activity profile.
k Save Creates the activity profile.

Add User

To view the Add User screen:

  1. Select Security Center > Activity Notifications.
  2. Select a profile from the list.
  3. Select Add User.

Add user

Item Description
a Enter username Enter usernames to search your Code42 environment.
b User suggestions When you start typing in the search box, suggestions appear. Click a username to add to the profile.
c Included users Lists all users to be added to the profile.
d Remove user Removes the user from the list of users to be included in the profile.
e Cancel Exits the Add User screen without adding any new users.
f Add Users Adds all selected users to the profile.

Forensic File Search

Requires the Forensic File Search product plan.

See the Forensic File Search reference guide for complete details.

Forensic File Search