Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Audit Log reference

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, yes.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

The Code42 Audit Log provides a record of who did what and when in the Code42 environment. This article provides detailed descriptions of each item in the Audit Log in the Code42 console. Some uses of the Audit Log include:

  • Determine how the Code42 environment ended up in its current state.
  • Spot check the work of security analysts to prevent abuse of privileged access.
  • Identify areas of training for users that caused inadvertent changes.
Use the Audit Log APIs to export results
The Audit Log in the Code42 console allows you to quickly search events and export the results to a comma-separated-values (CSV) file. While this is helpful to quickly perform spot checks, we recommend you use the Code42 API if you need to export events to your internal security team tools. The APIs allow you to export Audit Log events in CSV, CEF, or JSON format. See Search Audit Log events with the Code42 API.

Considerations

  • You must have the Audit Log Viewer or Customer Cloud Admin role to view events in the Audit Log.
  • The Audit Log records events for the last 90 days. If you want to maintain Audit Log output for longer than 90 days, export the results to your own systems for storage.
  • While there is no limit to the number of events recorded in Audit Log, you can export only a maximum of 100,000 events at once. To work around this limitation, see Troubleshooting.
  • Events that are recorded in the Audit Log can originate from actions taken in the Code42 console, Code42 APIs, an integration with Code42, or an external user provisioning system.
  • Event results are returned within five minutes of the event occurrence. Although event results of different event types are returned at different intervals, they are always listed in the order they occurred.
  • In addition to searching Audit Log events using APIs, you can also use py42 to query the Audit Log.

Audit Log

To view the Audit Log:

  1. Sign in to the Code42 console.
  2. Select Administration > Status > Audit Log

Audit Log

Item Description
a Export Export icon Export the filtered events to a comma-separated values (CSV) file.
b Filter Filter icon Filter the events by the criteria you select. 
c Filtered by The filters that are currently applied to the Audit Log events. Click the X to remove that filter. Remove all filters to view all events.
d Username The Code42 username associated with the event.
e Event type

The event type logged.

f Date observed Date and time the event occurred. The time is reported in Coordinated Universal Time (UTC).
g IP address Public IP address involved in the event. 
h View detail Details icon Click to view event details. Includes event type, date observed, and device details.

Filter

To filter the events listed in the Audit Log, click Filter Filter icon and select the criteria to use. When you click Apply, events that match all filters appear in the list.

Filter drawer in the Audit Log

Item Description
a Username Filters the list by events associated with a specific Code42 username. Use commas to separate multiple usernames.
b User type

The type of user to search for:

  • User
    Select to search for events triggered by a Code42 user.
  • Code42 support user
    Select to search for events triggered by a Code42 support user. Code42 support users are Customer Champions given support access to your Code42 environment to perform investigation and adjust settings as needed. By default, the Code42 support user's name is marvin@code42.com.

The Code42 support user can create additional users that appear in the Audit Log. To find those users, you can filter on the user type Code42 support user and then filter on the Add user event type.

c Date range

Filters the list by the selected date range. Select Custom to enter start and end dates to use to filter events. You can also select All dates to view all events that have been logged.

d Event type

Filters results by event types. All events filters by all available event types. 

 

Event types are organized into categories. Select All events in a category to filter by all available event types in that category. If events of a specific type have not occurred in the last 90 days, the event type does not appear in the category.

 

See the Event types section below for a description of each event type. 

  • Administration
    • All events
    • Code42 support user access disabled
    • Code42 support user access enabled
  • Authorization
    • All events
    • Console login
  • Cases
    • All events
    • Case assignee changed
    • Case closed
    • Case created
    • Case file event added
    • Case file event removed
    • Case subject changed
  • File access
    • All events
    • File download
    • File download: IO error
    • Restore ended
    • Restore started
    • ZIP file downloaded
  • Forensic Searches
    • All events
    • Forensic search query
  • User updates
    • All events
    • Activate user
    • Add user
    • Deactivate user
    • Email change
    • External attributes change
    • External reference change
    • Local auth only change
    • Name change
    • Username change
e IP address Filters the events by a specific public IP address involved in the event. Use commas to separate multiple IP addresses.
f Cancel / Apply Click Apply to apply the selected filter criteria to the list and display only the events that match that criteria. To return to the list without applying any filters, click Cancel.

Export

Click Export icon Export to export the filtered events in the Audit Log to a comma-separated values (CSV) file. Any filters that are applied are shown above the Audit Log list. Click the X on a filter to remove that filter from the exported results.

In addition to exporting events to CSV in the Code42 console, you can also export events to CEF, CSV, or JSON with the API. For more information, see Search Audit Log events with the Code42 API.

Event details

For any event listed in the Audit Log, click View details Details icon to see more information about the event.

Event details

Following are the fields that can appear in event details.

Event

Following are the fields that can appear in the Event section of the Event details panel. The fields that display vary depending on the type of activity that triggered the event. 

Item Description
Event type

The event type logged.

Date observed Date and time the event occurred. The time is reported in Coordinated Universal Time (UTC).

User

Following are the fields that appear in the User section of the Event details panel.

Item Description
Acting user (Code42)

The Code42 username of the acting user who triggered the event.

 

If the acting user was a SCIM provisioning system (for example, for an External attributes change event), the entry appears as the provisioning provider Username credentials from Code42 (for example, "azure_1234@cloud.code42.com").

User type

The type of user who triggered the event, either a Code42 user or a Code42 support user.

 

Code42 support users are users given support access to your Code42 environment to perform investigation and adjust settings as needed. By default, the username of support users is marvin@code42.com.

IP address (public)

The public IP address of the device used to trigger the event.
User agent

Details of the browser and device used to trigger the event.

 

If the acting user was an API call (for example, for a Console login event), this field displays details of the API.

Additional event details

Following are the fields that appear in the Additional event details section of the Event details panel.

Item Description Applies to events
Affected user The Code42 username of the person who was acted upon in the event.

Activate user

Add user

Deactivate user

External attributes change

External reference change

Local auth only change

Name change

Username change

Affected user UID The Code42 unique UID (userUid) of the person who was acted upon in the event.

Activate user

Add user

Deactivate user

External attributes change

External reference change

Local auth only change

Name change

Username change

Affected user type The type of user who triggered the event, either a Code42 user or a Code42 support user.

Activate user

Add user

Deactivate user

External attributes change

External reference change

Local auth only change

Name change

Username change

Amount of data downloaded

The total amount of data contained in the downloaded ZIP file. 

ZIP file downloaded

Amount of data restored

The total amount of file data restored in the event.  Restore ended 
Archive owner

The owner of the archive that the file was downloaded from.

File download

Assignee

The Code42 username of the case assignee. Case assignee changed

Assignee user UID

The Code42 unique UID (userUid) of the case assignee. Case assignee changed 
Case ID The number of the case. The case number is automatically generated when the case is created and cannot be changed.

Case assignee changed

Case closed

Case created

Case file event added

Case file event removed

Case subject changed

Destination holding the archive

The backup destination containing the files that were restored.

Restore ended 

Restore started 

Device guid data is pushed to

The globally unique ID (GUID) of the device that received restored files.

Restore ended 

Restore started 

Device hostname data is pushed to The hostname of the device that received restored files.

Restore ended 

Restore started 

Device guid that owned the data The globally unique ID (GUID) of the device where the restored files originated.

Restore ended 

Restore started 

Device hostname that owned the data The hostname of the device where the restored files originated.

Restore ended 

Restore started 

Downloading user account (uid)

The Code42 unique UID (userUid) of the person who initiated the file restore. ZIP file downloaded

Duration

The length of time it took for the file restoration process from start to finish. Restore ended

Event ID

The ID of a file event added or removed from a case.

Case file event added 

Case file event removed 

Events returned The number of results returned for this Forensic Search query. Forensic Search query 
Event success

Whether the event execution was successful:

  • true
    The event completed successfully.
  • false
    The event did not complete successfully. (For example, if data was being changed to a new value in the event, the string may have been malformed or contained illegal characters).

Deactivate user

External attributes change

External reference change

Forensic Search query 

Name change

Username change

External IP address of device pushed to

The ISP-assigned IP address of the device that received restored files. Restore ended 

Filename

The name of the downloaded ZIP file. ZIP file downloaded

File name in archive

The name of the file, including the file extension.

 

 

File download 
File size in archive The size of the file in the archive (in bytes) before download. File download 
Investigated file size The size of the downloaded file (in bytes). File download 
Investigated user The user undergoing investigation. File download 

Internal IP address of device pushed to

The local IP address of the device that received restored files.   Restore ended

Internal IP address of requestor

The local IP address of the device that requested the file restoration. Restore started

Local timestamp

The local time the file download or restore event occurred.

File download

Restore ended

Restore started

ZIP file downloaded

MD5 hash

The MD5 hash of the file contents. File download

Name

The name of the case at the time the event occurred. Note that the name of the case can be changed later.

Case assignee changed

Case closed

Case file event added

Case file event removed

Case subject changed

New value The value of the data after the event. 

External attributes change

External reference change

Local auth only change

Name change

Username change

Number of files restored

The total number of files restored in the event. Restore ended

Number of files that failed to restore

The total number of files that were not successfully restored in the event. Restore ended
Old value The value of the data before the event.

External attributes change

External reference change

Local auth only change

Name change​​​

​​​​Username change

Owner uid of device data pushed to

The Code42 unique ID (userUid) of the person that received restored files.

Restore ended 

Restore started 

Owner of device data pushed to

The Code42 username of the person that received restored files.

Restore started

Restore ended 

Previous assignee user UID

The Code42 unique UID (userUid) of the previous case assignee. Case assignee changed 

Previous assignee

The Code42 username of the previous case assignee. Case assignee changed

Previous subject

The Code42 username of the previous case subject. Case subject changed 

Previous subject user UID

The Code42 unique UID (userUid) of the previous case subject. Case subject changed

Query parameters

The parameters of the Forensic Search.

 

For more information about individual parameters shown, see the Forensic Search reference guide or the Forensic Search API.

Forensic Search query

Restore ID

The unique ID of a file restoration. The same restore ID will appear on a Restore started and Restore ended event. 

Restore ended  

Restore started 

ZIP file download 

Result

The result of the file restore event:

  • CANCELED
    The restore was canceled before it could be completed.
  • SUCCESS
    The restore completed successfully.
Restore ended 

SHA256 hash

The SHA256 hash of the file contents. File download

Search type

The kind of Forensic Search performed: 

  • query
    A search performed in Forensic Search.
  • export
    An export to a comma-separated values list.
  • grouping
    A search that returns results for a particular field (Forensic Search API only).
Forensic Search query

Subject

The Code42 username of the subject of the case subject.

Case assignee changed

Case closed

Case file event added

Case file event removed

Case subject changed

Subject user UID

The Code42 unique UID (userUid) of the case subject.

Case assignee changed

Case closed

Case file event added

Case file event removed

Case subject changed

Sub-type

The type of file restoration: 

Restore ended  

Restore started 

Updated local auth status

The authentication method was changed for the user:

  • true
    The user is authenticated as a local user (Code42-based authentication).
  • false
    The user is authenticated by SSO. 
Local auth only change

URL of ZIP restore

The URL of the ZIP file downloaded in the file restoration process. ZIP file downloaded

User that owned the data

The Code42 username of the person who owned the files that were restored.

Restore ended

Restore started 

User type that owned the data

The type of user who owned the files that were restored, either a Code42 user or Code42 support user.

Restore ended

Restore started 

User uid that owned the data

The Code42 unique UID (userUid) of the person who owned the files that were restored.

Restore ended

Restore started 

Where was restore initiated

The location where the restore process was triggered:

  • CONSOLE
    Restore was initiated from the Code42 console.
  • AGENT
    Restore was initiated from the Code42 app.

Restore ended

Restore started 

Event types

Following are the kinds of events that appear in the Audit Log.

Add user 

This event means that a new user was added in Code42. 

An empty value for fields in this event type may result from the initial intake of users from your Code42 environment into the Audit Log. See Troubleshooting.

Activate user

This event means that a user was reactivated in Code42. Reactivation occurs after a user had been previously deactivated

Case assignee changed

This event means that the person who is assigned to take a case has been changed

Case closed

This event means that a case was closed.

Case created

This event means that a case was created

Case file event added

This event means that a file event was added to a case

Case file event removed

This event means that a file event was removed from a case

Case subject changed

This event means that the person who the case is about was changed

Code42 support user access disabled

This event means that support access to your Code42 environment was turned off, so Code42 support users (also known as Customer Champions) no longer have permission to access your Code42 environment to troubleshoot or adjust settings.

Code42 support user access enabled

This event means that Code42 support users (also known as Customer Champions) were granted support access to your Code42 environment to troubleshoot and adjust settings as needed.

Code42 support users can log in after they are given support access. By default, the Code42 support user's name is marvin@code42.com

To find events performed by a Code42 support user, filter on the user type Code42 support user. The user information appears in the User type section of the event details. If the Code42 support user creates additional users, you can find them in the Audit Log by filtering on the user type Code42 support user and event type Add user.

Console login

This event means that a login to the Code42 console was recorded. The login could be from a direct user sign-in, a user signing in with single sign-on (SSO), or a sign-in initiated with an API call from the Code42 API or an integration. If the sign-in is initiated with an API call, the User agent field displays details of the API.

Deactivate user

This event means that a user was deactivated in Code42. A user can be deactivated for many reasons, from leaving the company to being removed from a provisioning system. For more information about user deactivation performed by provisioning systems, see our articles on SCIM provisioning and Code42 User Directory Sync.

Email change

This event means that a user's email address was changed. In Code42, the user's email address is also their Code42 username. Therefore, a change to a user's email address also results in a Username change event. 

External attributes change

This event means that an external user provisioning system updated a user's attributes, such as Code42 User Directory Sync or a SCIM provisioning system like Azure AD provisioningOkta provisioning, or PingOne provisioning.

When a provisioning system triggers an event, the Username Code42 entry appears as the provisioning provider username credentials from Code42 (for example, "azure_1234@cloud.code42.com").

If multiple attributes for a user are changed as a result of a single provisioning action, then all the attribute changes appear in the same event. User attributes obtained from a provisioning system display in Code42 in the User Profile as well as the High Risk Employees list and Departing Employees list. The changed attributes that can appear in this event type are:

  • country
  • division
  • department
  • employee_type
  • locality
  • manager_user_id
  • region
  • title

If user attributes are not populated correctly, see Provision user attributes to Code42.

External reference change

This event means that a user's external reference information was changed. The External Reference field in Code42 is used by administrators to add descriptive information to users, devices, or organizations in the Code42 environment, such as serial numbers, asset tags, employee IDs, help desk issue IDs, and the like. This information provides additional context for administrators and helps to integrate with external systems.

File download

This event means that a file was downloaded from Forensic Search or a case. The downloaded file's name, size, MD5 hash, and other information appears in the additional event details.

File download: IO error

When a file download from Forensic Search or a case was attempted, the file failed to download due to an I/O device error. 

Forensic Search query

This event means that a Forensic Search query was performed in the Code42 console or a Forensic Search was run with the Code42 API. The details of the Forensic Search query are recorded in the Query Parameters

Local auth only change

This event means that the local authentication method was changed for the user. Users with local authentication appear in the Local Users pane of the Authentication tab in Identity Management.

In the Updated local auth status field of the event details, a value of "true" indicates that the user is restricted to local (Code42-based) authentication only, while a value of "false" indicates that the user is authenticated by SSO. 

An empty value for fields in this event type may result from the initial intake of users from your Code42 environment into the Audit Log. See Troubleshooting.

Name change

This event means that a user's first name or last name was changed. 

Restore ended

This event means that restoration (download) of files to a device has completed.

The additional event details show the type of restore and other information about the restore, such as the owner of the device that received the restored files.

Restore started

This event means that restoration (download) of files to a device has started.

Compare the restore start and end times for the same restore ID to find how long a restore took. Depending on the kind of restore and the amount of file content restored, the length of time for a restore can vary widely.

Username change

This event means that a user's Code42 username was changed. In Code42, the user's email address is also their Code42 username. Therefore, a change to a Code42 username also results in an Email change event for the user. 

The Affected user field in the event details is empty in this type of event because the username value is shown in the Old value and New value fields. See Troubleshooting.

ZIP file downloaded

This event means that a ZIP file was downloaded to a device while restoring files to a ZIP file.

Troubleshooting

Empty values in fields

Empty values in Audit Log fields (shown as ) may occur for a number of reasons:

Export limit

The maximum number of events that can be exported from the Audit Log at once is 100,000. To work around this limitation, adjust your filters to reduce the number of events in any given export to be less than 100,000, then complete multiple exports to obtain the entire set of events. 

  • Was this article helpful?