Who is this article for?
CrashPlan for Enterprise, yes.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
The Code42 Audit Log provides a record of who did what and when in the Code42 environment. This article provides detailed descriptions of each item in the Audit Log in the Code42 console. Some uses of the Audit Log include:
- Determine how the Code42 environment ended up in its current state.
- Spot check the work of security analysts to prevent abuse of privileged access.
- Identify areas of training for users that caused inadvertent changes.
The Audit Log in the Code42 console allows you to quickly search events and export the results to a comma-separated-values (CSV) file. While this is helpful to quickly perform spot checks, we recommend you use the Code42 API if you need to export events to your internal security team tools. The APIs allow you to export Audit Log events in CSV, CEF, or JSON format. See Search Audit Log events with the Code42 API.
- The Audit Log is in early access .
- You must have the Customer Cloud Admin role to view events in the Audit Log.
- The Audit Log records events for the last 90 days. If you want to maintain Audit Log output for longer than 90 days, export the results to your own systems for storage.
- While there is no limit to the number of events recorded in Audit Log, you can export only a maximum of 100,000 events at once. To work around this limitation, see Troubleshooting.
- Events that are recorded in the Audit Log can originate from actions taken in the Code42 console, Code42 APIs, an integration with Code42, or an external user provisioning system.
- Event results are returned within five minutes of the event occurrence. Although event results of different event types are returned at different intervals, they are always listed in the order they occurred.
- In addition to searching Audit Log events using APIs, you can also use py42 to query the Audit Log.
To view the Audit Log:
- Sign in to the Code42 console.
- Select Reporting > Audit Log.
|a||Export||Export the filtered events to a comma-separated values (CSV) file.|
|b||Filter||Filter the events by the criteria you select.|
|c||Filtered by||The filters that are currently applied to the Audit Log events. Click the X to remove that filter. Remove all filters to view all events.|
|d||Username||The Code42 username associated with the event.|
The event type logged:
|f||Date observed||Date and time the event occurred. The time is reported in Coordinated Universal Time (UTC).|
|g||IP address||Public IP address involved in the event.|
|h||View detail||Click to view event details. Includes event type, date observed, and device details.|
To filter the events listed in the Audit Log, click Filter and select the criteria to use. When you click Apply, events that match all filters appear in the list.
|a||Username||Filters the list by events associated with a specific Code42 username. Use commas to separate multiple usernames.|
Filters the list by the selected date range. Select Custom to enter start and end dates to use to filter events. You can also select All dates to view all events that have been logged.
Filters results by event types:
All Events filters by all available event types.
|d||IP address||Filters the events by a specific public IP address involved in the event. Use commas to separate multiple IP addresses.|
|e||Cancel / Apply||Click Apply to apply the selected filter criteria to the list and display only the events that match that criteria. To return to the list without applying any filters, click Cancel.|
Click Export to export the filtered events in the Audit Log to a comma-separated values (CSV) file. Any filters that are applied are shown above the Audit Log list. Click the X on a filter to remove that filter from the exported results.
For any event listed in the Audit Log, click View details to see more information about the event.
Following are the fields that can appear in event details.
Following are the fields that can appear in the Event section of the Event details panel. The fields that display vary depending on the type of activity that triggered the event.
|Affected user||The Code42 username of the person who was acted upon in the event.|
|Affected user UID||The Code42 unique UID (userUid) of the person who was acted upon in the event.|
|Date observed||Date and time the event occurred. The time is reported in Coordinated Universal Time (UTC).|
Whether the event execution was successful:
The event type logged:
|New value||The value of the data after the event.|
|Old value||The value of the data before the event.|
The parameters of the Forensic Search.
The kind of Forensic Search performed:
Following are the fields that appear in the User section of the Event details panel.
The Code42 username of the acting user who triggered the event.
If the acting user was a SCIM provisioning system, the entry appears as the provisioning provider Username credentials from Code42 (for example, "email@example.com").
IP address (public)
|The public IP address of the device used to trigger the event.|
|User agent||Details of the browser and device used to trigger the event.|
Following are the kinds of events that appear in the Audit Log:
- Add user
- Activate user
- Deactivate user
- Email change
- External attributes change
- External reference change
- Forensic Search query
- Name change
- Username change
This event means that a new user was added in Code42.
An empty value for fields in this event type may result from the initial intake of users from your Code42 environment into the Audit Log. See Troubleshooting.
This event means that a user was deactivated in Code42. A user can be deactivated for many reasons, from leaving the company to being removed from a provisioning system. For more information about user deactivation performed by provisioning systems, see our articles on SCIM provisioning and Code42 User Directory Sync.
This event means that a user's email address was changed. In Code42, the user's email address is also their Code42 username. Therefore, a change to a user's email address also results in a Username change event.
External attributes change
This event means that an external user provisioning system updated a user's attributes, such as Code42 User Directory Sync or a SCIM provisioning system like Azure AD provisioning, Okta provisioning, or PingOne provisioning. If multiple attributes for a user are changed as a result of a single provisioning action, then all the attribute changes appear in the same event.
User attributes obtained from a provisioning system display in Code42 in the User Profile as well as the High Risk Employees list and Departing Employees list. The changed attributes that can appear in this event type are:
If user attributes are not populated correctly, see Updated user attributes not populating in risk detection lists.
External reference change
This event means that a user's external reference information was changed. The External Reference field in Code42 is used by administrators to add descriptive information to users, devices, or organizations in the Code42 environment, such as serial numbers, asset tags, employee IDs, help desk issue IDs, and the like. This information provides additional context for administrators and helps to integrate with external systems.
Forensic Search query
This event means that a Forensic Search query was performed in the Code42 console or a Forensic Search was run with the Code42 API. The details of the Forensic Search query are recorded in the Query Parameters.
This event means that a user's first name or last name was changed.
This event means that a user's Code42 username was changed. In Code42, the user's email address is also their Code42 username. Therefore, a change to a Code42 username also results in an Email change event for the user.
Empty values in fields
Empty values in Audit Log fields may occur for a number of reasons:
In Add user event types, an empty value for the Username, IP address, and Agent fields may result from the initial intake of users from your Code42 environment into the Audit Log. These fields are left blank because there is no acting user causing the event.
When an event such as such as an External attributes change is triggered by a provisioning system, the Agent field is empty because there is no endpoint user agent involved in the transaction. If a provisioning system triggers an event, the acting user entry appears as the provisioning provider Username credentials from Code42 (for example, "firstname.lastname@example.org").
- Username changes
In Username change events, the Affected user field is empty because the username value is shown in the Old value and New value fields.
The maximum number of events that can be exported from the Audit Log at once is 100,000. To work around this limitation, adjust your filters to reduce the number of events in any given export to be less than 100,000, then complete multiple exports to obtain the entire set of events.