Data Preferences reference
Overview
Data Preferences settings enable you to exclude file activity from IP addresses and domains you trust from dashboard visualizations, alerts, and search results in Forensic Search.
Considerations
Trusted domains
Adding trusted domains helps focus your investigations on file activity that may be a higher risk by not showing trusted file activity on the Risk Exposure dashboard, detection lists, and alerts. All file activity, including trusted file activity, is available to view in Forensic Search.
How it works
- Activity is considered trusted when an entry in your list of trusted domains appears in file event metadata for these fields: Active tab titles and URLs, Sync Username, Shared With (for cloud data sources), and Recipients (for email data sources).
- File activity on trusted domains does not appear in Code42 security event dashboards, user profiles, and alerts. However, activity on trusted domains is still searchable in Forensic Search.
- If there is more than one domain associated with an event, all domains must be included in your list of trusted domains for the event to be trusted. If any domain associated with event is not in your list of trusted domains, the event is not trusted.
Configure trusted domains
To view and edit trusted domains:
- Sign in to the Code42 console.
- Navigate to Administration > Environment > Data Preferences.
- Select the Trusted domains tab.
If your organization has established processes for users to report unethical behavior, harassment, discrimination, or other types of misconduct, consider adding the associated URLs to your list of trusted domains. For example, adding
report-misconduct.example.com would prevent file activity on that domain from appearing in Code42 security event dashboards, user profiles, and alerts.| Item | Description | |
|---|---|---|
| a | Domain list |
List of domains you trust. File events from domains in this list are excluded from:
|
| b | Edit |
Click Edit to add or remove domains.
|
Using a wildcard character may lead to unintentionally trusting unknown or malicious domains. For example, a trusted domain value of
example* would trust not only example.com, but also any domain starting with example, such as example.fake.com, examplenotyourrealdomain.com, and example.info.
To trust both a parent domain and all subdomains, we do not recommend an overly inclusive wildcard value, such as *example.com. Instead, add these two values to minimize risk:
example.com*.example.com
Since the first entry does not include a wildcard, it only trusts activity that matches the example.com domain exactly. In the second entry, including a period (.) after the wildcard ensures only subdomains of your legitimate domain are trusted.
Trusted domain examples
The table below provides examples of whether file activity is trusted based on the combination of the trusted domain entry and where the file activity occurred.
- Yes = Activity on this domain is trusted for the supplied trusted domain entry
- No = Activity on this domain is not trusted for the supplied trusted domain entry
| Trusted domain entry | |||||
| <<< More secure Less secure >>> | |||||
| Activity on: | example.com | *.example.com | example | *example.com | example* | *example* |
| www.example.com | Yes | No | No | Yes | Yes | Yes |
| https://subdomain.example.com | No | Yes | No | Yes | No | Yes |
| www.not-example.com | No | No | No | Yes | No | Yes |
| www.example.fake.com | No | No | No | No | Yes | Yes |
| first.last@example.com | Yes | No | No | Yes | Yes | Yes |
IP addresses
Listing your in-network IP addresses enables Code42 to label activity from any IP address not on this list as Remote activity. Many areas throughout the Code42 console use this list of IP addresses to identify remote file activity. Listing your in-network IP addresses enables you to customize search results and dashboards to include in-network activity, remote activity, or both.
To view and edit IP addresses:
- Sign in to the Code42 console.
- Navigate to Administration > Environment > Data Preferences.
- Select the IP addresses tab.
| Item | Description | |
|---|---|---|
| a | Add |
Click to add a new IP address or range. |
| b | IP addresses |
The in-network IP address or range.
For example, add the public IP addresses used by your devices, such as the NAT IP ranges for your corporate offices.
Supported formats:
VPN activity
If you consider file activity from devices connecting over a VPN to be “in-network,” add the IP addresses of your VPN network here. To consider VPN traffic as remote activity, do not include IP addresses for your VPN. |
| c | Description | The description entered for this IP address or range. Descriptions are limited to 50 characters. |
| d | Created |
Indicates when this entry was added to the list of in-network IP addresses.
Date and time are reported in Coordinated Universal Time (UTC). |
| e | IP last modified |
Indicates when the IP addresses value was last updated. Updating only the Description does not affect this timestamp.
File activity from an IP address is identified as in-network beginning the date it is added to this list. File activity from an IP address that occurred before it was added to this list is considered remote activity.
Date and time are reported in Coordinated Universal Time (UTC). |
| f | Edit | Click to edit the IP addresses or Description for this entry. |
| g | Delete | Click to delete this entry from the list of in-network IP addresses. |