Skip to main content

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional, Enterprise, and Gov F2
Incydr Basic, Advanced, and Gov F1
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, no.

CrashPlan Cloud, no.

Other product plans, no.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Organizations - Endpoint Data Collection reference

Overview

Use the Endpoint Data Collection tab on the organization details screen to identify the exfiltration vectors you want to monitor for risky activity. Code42 automatically collects all metadata associated with the files involved in such activity. You can also collect the contents of those files, when available, to provide important context during investigations.

For more information on endpoint monitoring with Incydr Basic and Advanced, CrashPlan Cloud, and other plans, see Endpoint Monitoring settings reference.

Endpoint Data Collection settings

To view an organization's endpoint data collection settings:

  1. Select Administration > Environment > Organizations.
  2. From the Organizations table, click the organization you want to view.
  3. Click the Endpoint Data Collection tab.
    Organization details with annotations
Item Description
a Collect file metadata

Identifies the vectors Code42 monitors on endpoints for possible file exfiltration. You can enable or disable:

  • Removable media
    Scanning all removable media (such as USB drives or SD cards) for file metadata.
  • Cloud sync applications
    Detection of files that are synced to cloud storage using these apps installed on the endpoint:

    • Box
    • Box Drive (Mac only)
    • Dropbox
    • Google Backup and Sync (discontinued by Google on Oct. 1, 2021)
    • iCloud
    • OneDrive
      Code42 watches a personal OneDrive account and up to two OneDrive for Business accounts on each device
  • Browser and other application activity
    Detection of files accessed by web browsers and other applications (for example, uploading attachments to web-based email or downloading files via FTP).

    This may also include other instances of apps accessing a file, such as opening a local file to view it in a web browser without actually uploading it.

  • Printers
    Currently not supported for Incydr Professional and Enterprise. 

By default, Code42 automatically collects the metadata from files involved in exfiltration activity for the vectors you select.

  • All file activity
    Monitor all endpoint file activity. 
    (Available as an add-on for some product plans)
b Collect exfiltrated file contents

Identifies whether Code42 collects the contents of the file itself when that file is involved in possible exfiltration activity.

  • Enabled: Contents of files involved in exfiltration activity are collected and viewable in Forensic Search. File contents are retained for the Event data retention period specified in your product plan.
  • Disabled: File contents are not collected.

Use this setting to control whether file contents are collected for specific organizations. For example, your Marketing users may often exchange large media files as part of their advertising development, or your QA users may exchange large numbers of files as part of their testing. Since this expected activity probably doesn't help with investigations of file exfiltration, you could group such users into their own organization and disable exfiltrated file content collection on that organization. 

c Edit Edit settings

Click to update the Collect file metadata or Collect exfiltrated file contents settings.

 

When the panel opens:

  1. If applicable, use the slider to identify whether the organization inherits these settings from its parent organization.
    This slider configures the organization to take on the security settings of the organization defaults (for top-level or system-wide organizations) or its parent organization. When enabled, settings must be edited at the top-level organization default or parent organization level. This slider is not available for the top-level organization.
  2.  Update the settings.
  3. Click Save.
  • Was this article helpful?