Risk Exposure reference

Overview

The Risk Exposure dashboard gives you an overview of the different file activity in your Code42 environment. This dashboard lets you know when unusual activity is happening, so you can investigate further in Forensic Search. 

For more information about these dashboards, see Review unusual file activity with the Risk Exposure dashboard.

Considerations

• Add Trusted Domains in Data Preferences to filter out Read by browser or other app file events from domains you trust. Adding trusted domains helps focus your investigation on file activity that may be a higher risk. File activity on a specific domain is only considered trusted starting the date the domain was added. 

• To work with the Risk Exposure dashboard, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for adding users to detection lists.

• Code42 product plans
  • The Risk Exposure dashboard requires a Code42 Diamond or Platinum product plan. 

  • The insider threat summaries and remote employees view require a Code42 Platinum product plan.

  • If you have the Code42 Diamond product plan, you must be licensed for at least one cloud service to see cloud-related file activity. 

• Contact your Customer Success Manager (CSM) for assistance with licensing. If you don't know who your CSM is, email csmsupport@code42.com. 

Insider threat summaries

The insider threat information on the Risk Exposure dashboard summarizes potential exposures you may want to investigate from the Departing Employees and High Risk Employees lists, as well as lists file activity from your remote employees. 

Top users by file activity

This tile shows the employees with the most file activity and highest potential exfiltration risk. It shows the total number of file events and the total size of the files involved in the events for that employee.

Does not include cloud permission changes
The Top users by file activity view does not include events from cloud services where the permissions for a file were changed. It only includes events captured from the employee's endpoint, such as files moved to removable media, uploaded via a browser or other app, and moved into a cloud sync folder on the endpoint. 

To view, sign in to the Code42 console and select Detection > Risk Exposure. 

Item		Description
a	Timeframe	Displays file activity for the last 90 days, 30 days, 7 days, or 1 day.
b	Code42 username | Department/title	Displays the employee's Code42 username, department*, and title*.    Click the Code42 username to see the employee's User Profile.  *If you use User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the department and title attributes if you use Okta provisioning or PingOne provisioning. If you don't use provisioning, this information does not appear and cannot be added manually.
c	Forensic Search	Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
d	See file event details	Click to see more details about the employee's file events, such as destinations and file category groups.
e	View top 20	Click to see a list of 20 employees with the most file activity on their endpoints.
f	View by remote activity	Click to see employees generating the most remote activity. When configured, remote activity is detected for endpoint events from out-of-network IP addresses.

Details

On the Top users by file activity tile, click  to see file event details.

Item		Description
a	View profile	Click to open the employee's User Profile.
b	Employee information	Displays the employee's Code42 username, department*, and title*.    *If you use User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the department and title attributes if you use Okta provisioning or PingOne provisioning. If you don't use provisioning, this information does not appear and cannot be added manually.
c	List badge	Displays the lists to which the employee has been added, such as the Departing Employees or High Risk Employees lists.
d	List details	Displays known risk factors from the High Risk Employees lists.
e	Investigate in Forensic Search	Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
f	Total endpoint events and size	Displays the total endpoint event count and size of the file events that occurred on the employee's endpoint. Events include files moved to removable media, read by browser or other app, or added to a cloud sync folder. Does not include cloud share permission changes.
g	Endpoint events	Displays the sync destination and file category group of file events that occurred on an employee's endpoint. Events include files moved to removable media, read by browser or other app, or added to a cloud sync folder. Does not include cloud share permission changes.

All activity view

To view, sign in to the Code42 console and select Detection > Risk Exposure.

The All activity view summarizes file activity of all of your employees. You can use it to:

• Provide an organization-wide view of browser upload activity
• Detect organization-wide usage of Dropbox, iCloud, Box, OneDrive and Google Drive
• Offer historical user activity profiles to speed insider threat investigations
• Review all remote file activity

Item		Description
a	All activity	Shows all endpoint file activity across your organization. File events can include files moved to removable media or cloud sync folders, or uploaded to a browser. All activity does not include cloud share permission changes.
b	Remote activity	Click to see all remote endpoint file activity. When configured, remote activity is detected for endpoint events from out-of-network IP addresses.    File events can include files moved to removable media or cloud sync folders, or uploaded to a browser or other app. Remote activity does not include cloud share permission changes.
c	Timeframe	Displays file activity for the last  90 days, 30 days, 7 days, or 1 day.
d	By destination - Cloud service	Displays when a file exists in a folder on the device that is used for syncing with one of these cloud services: Apple iCloud Box Box Drive Dropbox Google Backup and Sync Google Drive Microsoft OneDrive
e	By destination - Browser or app	Displays details about files opened in an app that is commonly used for uploading files, such as a web browser, Slack, FTP client, or curl. If you have configured trusted domains, file events that happen on trusted domains are removed from these counts.
f	By destination - Removable media	Displays when files have been moved to an external device such as a USB drive or hard drive.
g	Forensic Search	Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
h	View event details	Click to view the file events broken down by destination or file category group.
i	By file category group	Shows the summary of file activity for the following file categories: Business Documents Documents PDF Presentations Spreadsheets Zip Files Common archive file formats including compressed files. Source Code Common source code formats. Multimedia  Audio Image Video Other Executable Script Uncategorized (files that did not fit any category) Virtual Disk Image For more information about file categories, see Forensic Search file categories.

Endpoint file activity

To view, sign in to the Code42 console and select Detection > Risk Exposure. 

Item		Description
a	Timeframe	Displays file activity for the last 90 days, 30 days, 7 days, or 1 day.
b	File activity graph	Displays file activity for the selected file event type.
c	File event preview	Displays a file event preview for a specific day when you hover over the graph. Click a point to see more file event details from that day and to optionally open those files in Forensic Search. Learn more about using Forensic Search.
d	On removable media	Displays when files have been moved to an external device such as a USB drive or hard drive.
e	Synced to cloud service	Displays when a file exists in a folder on the device that is used for syncing with one of these cloud services: Apple iCloud Box Box Drive Dropbox Google Backup and Sync Google Drive Microsoft OneDrive
f	Read by browser or other app	Displays details about files opened in an app that is commonly used for uploading files, such as a web browser, Slack, FTP client, or curl.
g	Zip files	Displays file events for common archive formats, including compressed files.
h	Activity preview	Displays a preview of the graph of file activity.
i	Events	Shows the number of file events for the entire timeframe selected. File events can include events where a file was moved to removable media or cloud sync folders, or uploaded to a browser.   Note: Endpoint events do not include cloud share permission changes. See cloud share permission changes on the Cloud file activity graph.
j	Size	Displays total file size for all exposure events in the selected timeframe.
k	Users	Click any value in this column to open the Users window to see more details about the file activity and to search by a particular user's activity in Forensic Search.
l	Investigate in Forensic Search	Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.

Users

From the Endpoint file activity graph, click the Users column to see the file activity broken out by user. You can then see more file details for each user.

Item		Description
a	Code42 username | Department/title	Displays the Code42 usernames of employees involved with the file events. If you use provisioning, their department and title are shown. (For User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. For Okta provisioning, you must first add the department and title attributes in Okta.) Click any username to open their User Profile.
b	Events	Shows the number of file events for each user in the timeframe selected.    File events can include events where a file was moved to removable media or cloud sync folders, or was uploaded to a browser.   Note: Cloud share permission changes are not included. See cloud share permission changes on the Cloud file activity graph.
c	Size	Displays total file size for all exposure events in the selected timeframe.
d	Sync Destination   (Synced to Cloud Service option only)	Displays the cloud service the file was synced to. This only appears when viewing events on the Synced to Cloud Service graph.
e	Investigate in Forensic Search	Click to see the search results for this user in Forensic Search.
f	View event details	Click to view the employee's file events broken down by destination and file category group.

Cloud file activity

To view, sign in to the Code42 console and select Detection > Risk Exposure. 
Visible only with licensing for one or more cloud service data sources

Item		Description
a	Timeframe	Displays file activity for the last 90 days, 30 days, 7 days, or 1 day.
b	File activity graph	Displays file activity for the selected permission increase type and cloud service.
c	File event preview	Displays a file event preview for a specific day. Click a point to see more file event details and to optionally open those files in Forensic Search. Learn more about using Forensic Search.
d	Public on the web (Google Drive)	Displays when files on your Google Drive are indexed by Google search and are available on the web. Only appears if you are licensed for the Google Drive data source.
e	Public via direct link (Google Drive)	Displays when files on your Google Drive are accessible to anyone with a link. Only appears if you are licensed for the Google Drive data source.
f	Public via direct link (OneDrive)	Displays when files on your OneDrive are accessible to anyone with a link. Only appears if you are licensed for the OneDrive data source.
g	Public via direct link (Box)	Displays when files on your Box account are accessible to anyone with a link. Only appears if you are licensed for the Box data source.
h	Zip files	Displays file events for common archive formats, including compressed files.   Note: View event details from the resulting Users window is not available for zip files.
i	Activity preview	Displays a preview of the graph of file events.
j	Permission increases	Displays the number of events where a user changed the permission of a file, folder, or drive from private to public. This applies to both public via a direct link or public on the web.
k	Size	Displays total file size for all exposure events in the selected timeframe. Does not include Google file types such as Google Docs or Google Sheets.
l	Users	Displays the number of users who interacted with the file within five minutes of when it was made public. This could include the user who changed the permissions or a user who interacted with the file shortly after the permission change.  Click any value in this column to open the Users window to see more details about the file activity and to search by a particular user's activity in Forensic Search.
m	Investigate in Forensic Search	Opens Forensic Search. Forensic Search is pre-populated with the selected timeframe and exposure type. Learn more about using Forensic Search.

Users

From the Cloud file activity graph, click the Users column to see the file activity broken out by user. You can then see more file details for each user.

Item		Description
a	User	Displays the cloud actor name of users who interacted with a file within five minutes of when it was made public. This could include the user who changed the permissions or a user who interacted with the file shortly after the permission change.
b	Permission increases	Displays the number of events where a user changed the permission of a file, folder, or drive from private to public. This applies to both public via a direct link or public on the web.    Note: File events where a file was moved to a cloud sync folder are not included. See Synced to Cloud Service on the Endpoint file activity graph.
c	Size	Displays total file size for all exposure events in the selected timeframe. For the Cloud Activity tile, this value does not include Google file types such as Google Docs or Google Sheets.
d	Investigate in Forensic Search	Click to see the search results for this user in Forensic Search.
e	View event details	Click to view the employee's file events broken down by destination and file category group.

File event details 

On the Risk Exposure dashboard, click a point on either graph to see more details about that file activity.

Item		Description
a	File activity summary	Displays a summary of the file activity, including the timeframe of events, the type of exfiltration activity, and the number of users involved.
b	User	Displays the Code42 usernames or cloud actor names of users involved with the file events. Click any Code42 username to open their User Profile. (Only available from the Endpoint file activity graph).
c	Events	Shows the number of file events for each user in the timeframe selected.
d	Total size of files	Displays total file size for all exposure events in the selected timeframe.   For the Cloud Activity tile, this value does not include Google file types such as Google Docs or Google Sheets.
e	Sync destination Synced to Cloud Service only)	Displays the cloud service the file was synced to. This only appears when viewing events on the Synced to Cloud Service graph.
f	View profile  (Endpoint File Activity only)	Opens the User Profile page for the user.
g	Investigate in Forensic Search	Click to see the search results for this user in Forensic Search.

Related topics