Skip to main content

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Departing Employees reference

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

From Departing Employees, you can review the file activity of employees leaving your company, helping you to:

  • Quickly identify suspicious file movement
  • Review endpoint and cloud services activity
  • See file activity for the previous 90 days

This article describes the information and options in the Departing Employees list.

For instructions on how to add users to Departing Employees and investigate suspicious file activity, see Add departing employees.

Considerations

  • Add Trusted Domains in Data Preferences to filter out Read by browser or other app file events from domains you trust. Adding trusted domains helps focus your investigation on file activity that may be a higher risk. File activity on a specific domain is only considered trusted starting the date the domain was added. 

  • To work with departing employees, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for adding users to detection lists.
  • This functionality requires a Code42 Platinum product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Platinum product plan for a free trial​​​. If you don't know who your CSM is, email csmsupport@code42.com

Differences in file event counts
File events for Forensic Search and Alerts appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Departing Employees

To access the Departing Employees list:

  1. Sign in to the Code42 console.
  2. From the Departing Employees tile on the Risk Exposure dashboard, click any value, or go to Detection > Departing Employees. 

Departing Employees list

The Departing Employees screen lists the users who have been added as departing employees. 

List of departing employees

Item Description
a Alert Settings Alert Settings

Click to open the Alert Settings window, from which you can:

  • Enable or disable all alerts for all departing employees.
  • View details about the rules such as severity, who gets email notifications when the rule threshold is exceeded, as well as exposure type and thresholds for that rule. 
  • Click Manage Rule to go to the Alerts > Manage Rules tab and change the settings for the default Departing Employees alerts. From there, you can also update your custom alerts.
b Add Departing Employee Click to add a new user to the list of departing employees and start reviewing their file activity.  
c Total Departing Employees  Click to see a list of all departing employees. This option is selected by default.
d Leaving Today Click to see the employees that have a departure date of today.
e Put Data at Risk in Last 24 Hours Click to see the employees that had suspicious file activity in the past 24 hours.
f Put Data at Risk in the Last 30 Days Click to see the employees that had suspicious file activity in the past 30 days.
g Employee

Displays the employee's name and Code42 username. Click their Code42 username to see their User Profile.

h Department/Title

Displays the employee's department and their title if you use provisioning. (If you use User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the department and title attributes if you use Okta provisioning or PingOne provisioning.) If you don't use provisioning, this information does not appear and cannot be added manually.

i Total File Events Displays the number of file events in which a file was

moved to removable media or cloud sync folders, read by a browser or other app, or had its cloud share permissions changed.

j Total Size of Files Lists the total size of the files included In the file event activity.
k Departure Date Lists the date entered for the employee's departure. If no date was entered, no value is listed.
l User Profile Notes Displays any additional information entered when the profile was created. If no notes were added, this field is blank. These notes are visible to your team members.
m View profile View profile Opens the User Profile for the employee.
n Remove employee Remove employee Removes the employee's profile from the Departing Employees list and from the view of your team members.
o View event details View event details Click to view the employee's file events broken down by destination and file category group. 
p Rows per page Select to display 10, 25, 50, or 100 employees per page.
q Pagination Click forward or backward to see pages of results.

User Profile

To view an employee's user profile, click the View profile icon View User Profile in the list of employees. 

Employee information

Employee information on the profile of a departing employee

Item Description
a Departing Employee indicator

Indicates that this employee has been added to the Departing Employees list.

 

Click to remove the employee from the Departing Employees list. This will remove the employee from the Departing Employees list for your team members as well.

b Employee information

Displays a summary of the employee's information, including:

  • Name
  • Department* 
  • Title*
  • Location*
  • Manager*
  • Employee's Code42 username
  • Employee's cloud aliases (not shown in image)
  • Departure Date (Departing Employees list only)
  • Risk Factors (High Risk Employees list only)
  • User Profile Notes (Departing Employees list and High Risk Employees list only)

*Displays this information If your Code42 environment uses provisioning. (If you use Code42 User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the attributes if you use Okta provisioning or PingOne provisioning.) If you don't use provisioning, this information does not appear and cannot be added manually.

 

c Profile details Information that was added to the employee's profile from the Departing Employees list or High Risk Employees list.
d Edit Edit Click to edit employee information, including cloud aliases, the departure date, and notes.

File events by destination

File events by destination

Item Description
a

Last

(on User Profile only)

Select last 90 Days30 Days7 Days, or 1 Day to update the timeframe shown.
b Cloud services Shows the cloud services provider that the file was synced to. Click a summary bar of data to see the file activity broken down by file category group.
c Browser or app 

Click to see the number of file events that indicate files were uploaded to a browser or an app such as Slack, FTP client, or curl. File category groups appear on the left. The selected filter is highlighted in blue.

 

Hover over a summary bar of data to see a preview of these files broken down by file category.

d Removable media

Click to see the number of file events that indicate files were moved to removable media, such as a USB drive. File category groups appear on the left. The selected filter is highlighted in blue.

 

Hover over a summary bar of data to see a preview of these files broken down by file category.

e Forensic Search iconInvestigate in Forensic Search

Click to see the search results for these files in Forensic Search.

f View event details View event details Click to view the employee's file events broken down by file category group. 

File events by file category group

File events by file category group

Item Description
a Last Select last 90 Days30 Days7 Days, or 1 Day to update the timeframe shown.
b File category group

Shows the summary of file activity for the following file categories:

  • Business Documents
    • Documents
    • PDF
    • Presentations
    • Spreadsheets
  • Zip Files
    Common archive file formats including compressed files.
  • Source Code
    Common source code formats.
  • Multimedia 
    • Audio
    • Image
    • Video
  • Other
    • Executable
    • Script
    • Uncategorized (files that did not fit any category)
    • Virtual Disk Image

For more information about file categories, see Forensic Search file categories.

c Forensic Search iconInvestigate in Forensic Search

Click to see the search results for these files in Forensic Search.

d View event details View event details Click to view the employee's file events broken down by destination.

Endpoint File Activity

This section displays file activity on the user's device, which helps identify suspicious file activity and potential file exfiltration.

Endpoint File Activity

Item Description
a Last

Select last 90 Days30 Days7 Days, or 1 Day to update the timeframe on the graph. Click Refresh graph indicator to refresh the graph and show the latest data.

b Activity type Indicates the type of activity displayed in the graph.
c Summary preview

Click a point on the graph to see a summary of that data point organized by file category group. 

d Risk Indicators

Highlights file activity that has added risk.

Off Hours - Indicates the file activity occurred outside the employee’s typical active hours. With only File Metadata Collection enabled, Code42 can capture file activity from an employee’s endpoint and use that pattern of activity to determine when an employee is typically inactive (their off hours). Using this behavioral pattern, we can then highlight when file activity doesn’t normally occur. It takes a few weeks of data to start identifying patterns, so you may not see these indicators initially. Due to the fluid nature of employee activity, the identified patterns can change over time when the employee’s behavior changes.

Off Hours requires File Metadata Collection
You must have File Metadata Collection enabled in order to see the Off Hours indicator. 
Off Hours appears only on the Endpoint File Activity graph
While the File Mismatch indicator is shown on both the Endpoint File Activity and Cloud File Activity graphs for corresponding activity, the Off Hours indicator appears only on the Endpoint File Activity graph. Cloud services are not currently monitored for activity that occurs during off hours.

File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents, for example, a file with the .jpg extension that contains source code content.

e Forensic Search icon Forensic Search icon

Click to see the search results for these files in Forensic Search.

f Graph

Provides a visual representation of file activity for the selected timeframe.

  • Hover on a point in the graph to see a preview of the activity.
  • Click a point on the graph to see the summary preview of that data point. 
g Show activity for

Select one of the following options to view the graph of that activity:

  • On removable media: Shows a graph of file activity on removable media, such as a USB drive.
  • Synced to cloud service: Shows a graph of activity where files were added to folders on a user's device that are typically used to sync to a cloud service. 
  • Read by browser or other app: Shows a graph of activity where files were opened by a browser or an app commonly used for uploading files, such as Slack, FTP client, or curl.
  • Deleted files: Shows a graph of activity where files are added to the following locations: $Recycle.Bin, .local/share/Trash, and .Trash. 
  • Zip files: Shows a graph of activity for common archive file formats, including compressed files (.zip, .tar).

Cloud File Activity

This section displays file activity for files in cloud services. It shows when a file is made publicly accessible or shared via a direct link. 

Cloud file activity

Item Description
a Last 

Select last 90 Days30 Days7 Days, or 1 Day to update the timeframe on the graph. Click Refresh graph indicator to refresh the graph and show the latest data.

b Activity type Indicates the type of activity displayed in the graph.
c Summary preview

Click a point on the graph to see a summary of that data point organized by file category group. 

d Risk Indicators

Highlights file activity that has added risk.

 

File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents, for example, a file with the .jpg extension that contains source code content.

e Forensic Search icon Forensic Search icon

Click to see the search results for these files in Forensic Search.

f Graph

Provides a visual representation of file activity for the selected timeframe.

  • Hover on a point in the graph to see a preview of the activity.
  • Click a point on the graph to see the summary preview of that data point. 

g Show activity for

Select one of the following options to view the graph of that activity:

  • Public on the web (Google Drive): Shows files in Google Drive that were made public.
  • Public via direct link (Google Drive): Shows files that were shared from Google Drive with a direct link.
  • Public via direct link (OneDrive): Shows files that were shared from OneDrive with a direct link.
  • Public via direct link (Box): Shows files that were shared from Box with a direct link.
  • Zip files: Shows a graph of activity for common archive file formats, including compressed files (.zip, .tar).

 

  • Was this article helpful?