Skip to main content

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Risk Exposure dashboard reference

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

The Risk Exposure dashboard gives you an overview of the different file activity in your Code42 environment. This dashboard lets you know when unusual activity is happening, so you can investigate further in Forensic Search. 

For more information about these dashboards, see Review unusual file activity with the Risk Exposure dashboard.

Considerations

  • Add Trusted Domains in Data Preferences to filter out Read by browser or other app file events from domains you trust. Adding trusted domains helps focus your investigation on file activity that may be a higher risk. File activity on a specific domain is only considered trusted starting the date the domain was added. 

  • To work with the Risk Exposure dashboard, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for adding users to detection lists.

  • Code42 product plans
  • Contact your Customer Success Manager (CSM) for assistance with licensing. If you don't know who your CSM is, email csmsupport@code42.com
Differences in file event counts
File events for Forensic Search and Alerts appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Insider threat summaries

The insider threat information on the Risk Exposure dashboard summarizes potential exposures you may want to investigate from the Departing Employees and High Risk Employees lists, as well as lists file activity from your remote employees. 

High Risk Employees summary

To view, sign in to the Code42 console and select Detection > Risk Exposure

High Risk Employees tile on the Risk Exposure dashboard

This tile summarizes the information shown in the High Risk Employees list. Clicking either value opens the High Risk Employees list with those results shown. 

If you don't have any employees added to the High Risk Employees list, the values are zero.

Click View all to see all the employees that have been added to the list. Click Add to list to add an employee to the High Risk Employees list. 

Departing Employees summary

To view, sign in to the Code42 console and select Detection > Risk Exposure

Departing Employees tile on the Risk Exposure dashboard

This tile summarizes the information shown in the Departing Employees list. Clicking any value opens the Departing Employees list with those results shown. 

If you don't have any employees added to the Departing Employees list, the values are zero.

Click View all to see all the employees that have been added to the list. Click Add to list to add an employee to the Departing Employees list.

Top users by file activity

This tile shows the employees with the most file activity and highest potential exfiltration risk. It shows the total number of file events and the total size of the files involved in the events for that employee.

Does not include cloud permission changes
The Top users by file activity view does not include events from cloud services where the permissions for a file were changed. It only includes events captured from the employee's endpoint, such as files moved to removable media, uploaded via a browser or other app, and moved into a cloud sync folder on the endpoint. 

To view, sign in to the Code42 console and select Detection > Risk Exposure

Top users by file activity

Item Description
a Timeframe Displays file activity for the last 90 days, 30 days, 7 days, or 1 day.
b Code42 username | Department/title

Displays the employee's Code42 username, department*, and title*. 

 

Click the Code42 username to see the employee's User Profile

*If you use User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the department and title attributes if you use Okta provisioning or PingOne provisioning. If you don't use provisioning, this information does not appear and cannot be added manually.

c Forensic SearchInvestigate in Forensic Search Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
d See file event details View file event details icon.png Click to see more details about the employee's file events, such as destinations and file category groups. 
e View top 20 Click to see a list of 20 employees with the most file activity on their endpoints. 
f View by remote activity Click to see employees generating the most remote activity. When configured, remote activity is detected for endpoint events from out-of-network IP addresses. 

Details

On the Top users by file activity tile, click View file event details icon.png to see file event details.

User file event details

Item Description
a View profile View profile Click to open the employee's User Profile
b

Employee information

Displays the employee's Code42 username, department*, and title*. 

 

*If you use User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the department and title attributes if you use Okta provisioning or PingOne provisioning. If you don't use provisioning, this information does not appear and cannot be added manually.

c List badge Displays the lists to which the employee has been added, such as the Departing Employees or High Risk Employees lists.
d List details Displays known risk factors from the High Risk Employees lists.
e Investigate in Forensic Search Investigate in Forensic Search Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
f Total endpoint events and size Displays the total endpoint event count and size of the file events that occurred on the employee's endpoint. Events include files moved to removable media, read by browser or other app, or added to a cloud sync folder. Does not include cloud share permission changes.  
g Endpoint events Displays the sync destination and file category group of file events that occurred on an employee's endpoint. Events include files moved to removable media, read by browser or other app, or added to a cloud sync folder. Does not include cloud share permission changes. 

All activity view

To view, sign in to the Code42 console and select Detection > Risk Exposure.

The All activity view summarizes file activity of all of your employees. You can use it to:

  • Provide an organization-wide view of browser upload activity
  • Detect organization-wide usage of Dropbox, iCloud, Box, OneDrive and Google Drive
  • Offer historical user activity profiles to speed insider threat investigations
  • Review all remote file activity
Does not include cloud permission changes
The All activity employee view does not include events from cloud services where the permissions for a file were changed. It only includes events captured from the employee's endpoint, such as files moved to removable media, uploaded via a browser or other app, and moved into a cloud sync folder on the endpoint. 

All activity and remote activity tile

Item Description
a All activity Shows all endpoint file activity across your organization. File events can include files moved to removable media or cloud sync folders, or uploaded to a browser. All activity does not include cloud share permission changes. 
b Remote activity

Click to see all remote endpoint file activity. When configured, remote activity is detected for endpoint events from out-of-network IP addresses. 

 

File events can include files moved to removable media or cloud sync folders, or uploaded to a browser or other app. Remote activity does not include cloud share permission changes. 

c Timeframe Displays file activity for the last  90 days, 30 days, 7 days, or 1 day.
d By destination - Cloud service Displays when a file exists in a folder on the device that is used for syncing with one of these cloud services:
  • Apple iCloud
  • Box
  • Box Drive
  • Dropbox
  • Google Backup and Sync
  • Google Drive
  • Microsoft OneDrive
e By destination - Browser or app  Displays details about files opened in an app that is commonly used for uploading files, such as a web browser, Slack, FTP client, or curl. If you have configured trusted domains, file events that happen on trusted domains are removed from these counts. 
f By destination - Removable media Displays when files have been moved to an external device such as a USB drive or hard drive.
g Forensic Search Investigate in Forensic Search Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
h View event details View event details Click to view the file events broken down by destination or file category group.
i By file category group

Shows the summary of file activity for the following file categories:

  • Business Documents
    • Documents
    • PDF
    • Presentations
    • Spreadsheets
  • Zip Files
    Common archive file formats including compressed files.
  • Source Code
    Common source code formats.
  • Multimedia 
    • Audio
    • Image
    • Video
  • Other
    • Executable
    • Script
    • Uncategorized (files that did not fit any category)
    • Virtual Disk Image

For more information about file categories, see Forensic Search file categories.

Endpoint file activity

To view, sign in to the Code42 console and select Detection > Risk Exposure

Endpoint file activity graph

Item Description
a Timeframe Displays file activity for the last 90 days, 30 days, 7 days, or 1 day.
b File activity graph

Displays file activity for the selected file event type. 

c File event preview Displays a file event preview for a specific day when you hover over the graph. Click a point to see more file event details from that day and to optionally open those files in Forensic Search. Learn more about using Forensic Search.
d On removable media Displays when files have been moved to an external device such as a USB drive or hard drive. 
e Synced to cloud service Displays when a file exists in a folder on the device that is used for syncing with one of these cloud services:
  • Apple iCloud
  • Box
  • Box Drive
  • Dropbox
  • Google Backup and Sync
  • Google Drive
  • Microsoft OneDrive
f Read by browser or other app  Displays details about files opened in an app that is commonly used for uploading files, such as a web browser, Slack, FTP client, or curl.
g Zip files Displays file events for common archive formats, including compressed files.
h Activity preview Displays a preview of the graph of file activity. 
i Events

Shows the number of file events for the entire timeframe selected. File events can include events where a file was moved to removable media or cloud sync folders, or uploaded to a browser.

 

Note: Endpoint events do not include cloud share permission changes. See cloud share permission changes on the Cloud file activity graph.

j Size Displays total file size for all exposure events in the selected timeframe.
k Users

Click any value in this column to open the Users window to see more details about the file activity and to search by a particular user's activity in Forensic Search

l Investigate in Forensic Search Investigate in Forensic Search Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.

Users

From the Endpoint file activity graph, click the Users column to see the file activity broken out by user. You can then see more file details for each user.

User details available from the Endpoint File Activity graph

Item Description
a Code42 username | Department/title

Displays the Code42 usernames of employees involved with the file events. If you use provisioning, their department and title are shown. (For User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. For Okta provisioning, you must first add the department and title attributes in Okta.)

Click any username to open their User Profile

b Events

Shows the number of file events for each user in the timeframe selected. 

 

File events can include events where a file was moved to removable media or cloud sync folders, or was uploaded to a browser.

 

Note: Cloud share permission changes are not included. See cloud share permission changes on the Cloud file activity graph

c Size Displays total file size for all exposure events in the selected timeframe.
d

Sync Destination
 

(Synced to Cloud Service option only)

Displays the cloud service the file was synced to. This only appears when viewing events on the Synced to Cloud Service graph.
e Investigate in Forensic Search Investigate in Forensic Search Click to see the search results for this user in Forensic Search.
f View event details View event details Click to view the employee's file events broken down by destination and file category group. 

Cloud file activity

To view, sign in to the Code42 console and select Detection > Risk Exposure
Visible only with licensing for one or more cloud service data sources

Cloud file activity tile on the Risk Exposure dashboard

Item Description
a Timeframe Displays file activity for the last 90 days, 30 days, 7 days, or 1 day.
b File activity graph Displays file activity for the selected permission increase type and cloud service.
c File event preview Displays a file event preview for a specific day. Click a point to see more file event details and to optionally open those files in Forensic Search. Learn more about using Forensic Search.
d Public on the web (Google Drive) Displays when files on your Google Drive are indexed by Google search and are available on the web. Only appears if you are licensed for the Google Drive data source.
e Public via direct link (Google Drive) Displays when files on your Google Drive are accessible to anyone with a link. Only appears if you are licensed for the Google Drive data source.
f Public via direct link (OneDrive) Displays when files on your OneDrive are accessible to anyone with a link. Only appears if you are licensed for the OneDrive data source.
g Public via direct link (Box) Displays when files on your Box account are accessible to anyone with a link. Only appears if you are licensed for the Box data source.
h Zip files

Displays file events for common archive formats, including compressed files.

 

Note: View event details from the resulting Users window is not available for zip files.

i Activity preview Displays a preview of the graph of file events.
j Permission increases Displays the number of events where a user changed the permission of a file, folder, or drive from private to public. This applies to both public via a direct link or public on the web.
k Size Displays total file size for all exposure events in the selected timeframe. Does not include Google file types such as Google Docs or Google Sheets.
l Users

Displays the number of users who interacted with the file within five minutes of when it was made public. This could include the user who changed the permissions or a user who interacted with the file shortly after the permission change. 

Click any value in this column to open the Users window to see more details about the file activity and to search by a particular user's activity in Forensic Search

m Investigate in Forensic SearchInvestigate in Forensic Search Opens Forensic Search. Forensic Search is pre-populated with the selected timeframe and exposure type. Learn more about using Forensic Search.

Users

From the Cloud file activity graph, click the Users column to see the file activity broken out by user. You can then see more file details for each user.

User details from the Cloud file activity graph

Item Description
a User

Displays the cloud actor name of users who interacted with a file within five minutes of when it was made public. This could include the user who changed the permissions or a user who interacted with the file shortly after the permission change.

b Permission increases

Displays the number of events where a user changed the permission of a file, folder, or drive from private to public. This applies to both public via a direct link or public on the web. 

 

Note: File events where a file was moved to a cloud sync folder are not included. See Synced to Cloud Service on the Endpoint file activity graph.

c Size Displays total file size for all exposure events in the selected timeframe. For the Cloud Activity tile, this value does not include Google file types such as Google Docs or Google Sheets.
d Investigate in Forensic Search Investigate in Forensic Search Click to see the search results for this user in Forensic Search.
e View event details View event details Click to view the employee's file events broken down by destination and file category group. 

File event details 

On the Risk Exposure dashboard, click a point on either graph to see more details about that file activity.

File event details from the Risk Exposure dashboard

Item Description
a File activity summary Displays a summary of the file activity, including the timeframe of events, the type of exfiltration activity, and the number of users involved.
b User Displays the Code42 usernames or cloud actor names of users involved with the file events.

Click any Code42 username to open their User Profile. (Only available from the Endpoint file activity graph).
c Events Shows the number of file events for each user in the timeframe selected. 
d Total size of files

Displays total file size for all exposure events in the selected timeframe.

 

For the Cloud Activity tile, this value does not include Google file types such as Google Docs or Google Sheets.

e Sync destination

Synced to Cloud Service only)
Displays the cloud service the file was synced to. This only appears when viewing events on the Synced to Cloud Service graph.
f View profile View user profile

(Endpoint File Activity only) 
Opens the User Profile page for the user.
g Investigate in Forensic Search Search in Forensic Search Click to see the search results for this user in Forensic Search.