Risk Exposure dashboard reference
Who is this article for?
Incydr, yes.
CrashPlan for Enterprise, no.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Overview
The Risk Exposure dashboard provides an overview of the different types of file activity in your Code42 environment. This dashboard helps you identify when unusual activity is happening, so you can investigate further in Forensic Search.
For more information about how to use these dashboards, see Review unusual file activity with the Risk Exposure dashboard.
Considerations
-
To work with the Risk Exposure dashboard, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for adding users to detection lists.
- Feature visibility:
-
The insider threat summaries require a product plan that includes Risk Detection lenses.
- Contact your Customer Success Manager (CSM) for assistance with licensing. If you don't know who your CSM is, email csmsupport@code42.com.
Insider threat summaries
The insider threat information on the Risk Exposure dashboard summarizes potential exposures you may want to investigate from the Departing Employees and High Risk Employees lists, as well as lists file activity from your most active employees.
High Risk Employees summary
To view, sign in to the Code42 console and select Detection > Risk Exposure.
This tile summarizes the information shown in the High Risk Employees list. Clicking either value opens the High Risk Employees list with those results shown.
If you don't have any employees added to the High Risk Employees list, the values are zero.
Click View all to see all the employees that have been added to the list. Click Add to list to add an employee to the High Risk Employees list.
Departing Employees summary
To view, sign in to the Code42 console and select Detection > Risk Exposure.
This tile summarizes the information shown in the Departing Employees list. Clicking any value opens the Departing Employees list with those results shown.
If you don't have any employees added to the Departing Employees list, the values are zero.
Click View all to see all the employees that have been added to the list. Click Add to list to add an employee to the Departing Employees list.
Top users by file activity
This tile shows the employees with the most file activity. It shows the total number of file events and the total size of the files involved in the events for that employee.
The Top users by file activity view does not include events from cloud services where the permissions for a file were changed. It only includes events captured from the employee's endpoint, such as files moved to removable media, uploaded via a browser or other app, and moved into a cloud sync folder on the endpoint.
To view, sign in to the Code42 console and select Detection > Risk Exposure.
| Item | Description | |
|---|---|---|
| a | Timeframe | Displays file activity for the last 90 days, 30 days, 7 days, or 1 day. |
| b | Code42 username | Department/title |
Displays the employee's Code42 username, department*, and title*.
Click the Code42 username to see the employee's User Profile. |
| c | Forensic Search |
Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search. |
| d | See file event details  |
Click to see more details about the employee's file events, such as destinations and file category groups. |
| e | View top 20 | Click to see a list of 20 employees with the most file activity on their endpoints. |
| f | View by remote activity | Click to see employees generating the most remote activity. When configured, remote activity is detected for endpoint events from out-of-network IP addresses. |
Details
On the Top users by file activity tile, click to see file event details.
| Item | Description | |
|---|---|---|
| a | View profile  |
Click to open the employee's User Profile. |
| b |
Employee information |
Displays the employee's Code42 username, department*, and title*.
*If you use User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the department and title attributes if you use Okta provisioning or PingOne provisioning. If you don't use provisioning, this information does not appear and cannot be added manually. |
| c | List badge | Displays the lists to which the employee has been added, such as the Departing Employees or High Risk Employees lists. |
| d | List details | Displays known risk factors from the High Risk Employees lists. |
| e | Investigate in Forensic Search |
Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search. |
| f | Total endpoint events and size | Displays the total count and size of the file events that occurred on the employee's endpoint. Events include files moved to removable media, read by browser or other app, or added to a cloud sync folder. Does not include cloud share permission changes. |
| g | Endpoint events | Displays the sync destination and file category group of file events that occurred on an employee's endpoint. Events include files moved to removable media, read by browser or other app, or added to a cloud sync folder. Does not include cloud share permission changes. |
All activity view
To see all file activity across your organization, sign in to the Code42 console and select Detection > Risk Exposure.
- The Endpoint activity tab summarizes file activity that occurs on the devices of your employees.
- Use the Cloud sharing tab to see all files in your cloud services that had permission changes, making them available via a direct link or public on the web.
- Use the Remote activity tab to review all remote file activity occurring on an endpoint. Remote activity is determined to be any file activity that occurs outside of your trusted IP addresses.
| Item | Description | |
|---|---|---|
| a | Endpoint activity | Shows all endpoint file activity across your organization. File events include files moved to removable media or cloud sync folders, or viewed in a browser or other app. |
| b | Cloud sharing | Shows file activity where permissions were increased on a file in your cloud services, making the file available via a direct link or publicly available on the web. This tab requires Code42 access to your cloud services. |
| c | Remote activity |
Shows all remote file activity that occurred on an endpoint. File events can include files moved to removable media or cloud sync folders, or viewed in a browser or other app.
When configured, remote activity is detected for endpoint events from out-of-network IP addresses. |
| d | Timeframe | Displays file activity for the last 90 days, 30 days, 7 days, or 1 day. |
| e | By destination - Cloud service | Displays when a file exists in a folder on the device that is used for syncing with one of these cloud services:
|
| f | By destination - Browser or app | Displays details about files opened in an app that is commonly used for uploading files, such as a web browser, Slack, FTP client, or curl. If you have configured trusted domains, file events that happen on trusted domains are removed from these counts. |
| g | By destination - Removable media | Displays when files have been moved to an external device such as a USB drive or hard drive. Click View event details to see file activity broken out by removable media device vendor and bus type. "Other" is shown when the vendor and bus type cannot be determined.
Removable media vendor preview
If vendor details do not appear in this view, you can still view them in Forensic Search. The removable media vendor is not available in this view for file events that occurred prior to August 12, 2020. For example, you may see vendor details when looking at the last 7 days of file events, but if you switch to 90 days and that view includes file events that occurred before August 12, 2020, those details will not be available in this view. Instead, click Investigate in Forensic Search to see those details. |
| h | By file category group | |
| i | Forensic Search |
Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search. |
| j | View event details  |
Click to view the file events broken down by destination or file category group. |
Endpoint activity over time
To view, sign in to the Code42 console and select Detection > Risk Exposure.
| Item | Description | |
|---|---|---|
| a | Timeframe | Displays file activity for the last 90 days, 30 days, 7 days, or 1 day. |
| b | File activity graph |
Displays file activity for the selected file event type. |
| c | File event preview | Displays a file event preview for a specific day when you hover over the graph. Click a point to see more file event details from that day and to optionally open those files in Forensic Search. Learn more about using Forensic Search. |
| d | On removable media | Displays when files have been moved to an external device such as a USB drive or hard drive. Click a point on the graph to see the vendor name of the removable media device.
Removable media vendor preview
If vendor details do not appear in this view, you can still view them in Forensic Search. The removable media vendor is not available in this view for file events that occurred prior to August 12, 2020. For example, you may see vendor details when looking at the last 7 days of file events, but if you switch to 90 days and that view includes file events that occurred before August 12, 2020, those details will not be available in this view. Instead, click Investigate in Forensic Search to see those details. |
| e | Synced to cloud service | Displays when a file exists in a folder on the device that is used for syncing with one of these cloud services:
|
| f | Read by browser or other app | Displays details about files opened in an app that is commonly used for uploading files, such as a web browser, Slack, FTP client, or curl. |
| g | Zip files | Displays file events for common archive formats, including compressed files. |
| h | Activity preview | Displays a preview of the graph of file activity. |
| i | Events |
Shows the number of file events for the entire timeframe selected. File events can include events where a file was moved to removable media or cloud sync folders, or uploaded to a browser.
Note: Endpoint events do not include cloud share permission changes. See cloud share permission changes on the Cloud sharing over time graph. |
| j | Size | Displays total file size for all exposure events in the selected timeframe. |
| k | Investigate in Forensic Search |
Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search. |
| l | View event details |
Click to see more details about the file activity and to search by a particular user's activity in Forensic Search. |
Users
From the Endpoint activity over time graph, click the Users column to see the file activity broken out by user. You can then see more file details for each user.
| Item | Description | |
|---|---|---|
| a | Code42 username | Department/title |
Displays the Code42 usernames of employees involved with the file events. If you use provisioning, their department and title are shown. (For User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. For Okta provisioning, you must first add the department and title attributes in Okta.) |
| b | Events |
Shows the number of file events for each user in the timeframe selected.
File events can include events where a file was moved to removable media or cloud sync folders, or was uploaded to a browser.
Note: Cloud share permission changes are not included. See cloud share permission changes on the Cloud sharing over time graph. |
| c | Size | Displays total file size for all exposure events in the selected timeframe. |
| d |
Sync Destination (Synced to Cloud Service option only) |
Displays the cloud service the file was synced to. This only appears when viewing events on the Synced to Cloud Service graph. |
| – |
Vendor
(Removable media only) |
Displays the vendor name of the removable media device. If the vendor name cannot be identified, it is listed as "Other".
Removable media vendor preview
If vendor details do not appear in this view, you can still view them in Forensic Search. The removable media vendor is not available in this view for file events that occurred prior to August 12, 2020. For example, you may see vendor details when looking at the last 7 days of file events, but if you switch to 90 days and that view includes file events that occurred before August 12, 2020, those details will not be available in this view. Instead, click Investigate in Forensic Search to see those details. |
| e | Investigate in Forensic Search |
Click to see the search results for this user in Forensic Search. |
| f | View event details |
Click to view the employee's file events broken down by destination and file category group. |
Cloud sharing over time
To view, sign in to the Code42 console and select Detection > Risk Exposure.
Visible only with licensing for one or more cloud service data sources.
| Item | Description | |
|---|---|---|
| a | Timeframe | Displays file activity for the last 90 days, 30 days, 7 days, or 1 day. |
| b | File activity graph | Displays file activity for the selected cloud service. |
| c | File event preview | Displays a file event preview for a specific day. Click a point to see more file event details and to optionally open those files in Forensic Search. Learn more about using Forensic Search. |
| d | Public on the web (Google Drive) | Displays when files on your Google Drive are indexed by Google search and are available on the web. Only appears if you are licensed for the Google Drive data source. |
| e | Public via direct link (Google Drive) | Displays when files on your Google Drive are accessible to anyone with a link. Only appears if you are licensed for the Google Drive data source. |
| f | Public via direct link (OneDrive) | Displays when files on your OneDrive are accessible to anyone with a link. Only appears if you are licensed for the OneDrive data source. |
| g | Public via direct link (Box) | Displays when files on your Box account are accessible to anyone with a link. Only appears if you are licensed for the Box data source. |
| h | Zip files |
Displays file events for common archive formats, including compressed files.
Note: View event details from the resulting Users window is not available for zip files. |
| i | Activity preview | Displays a preview of the graph of file events. |
| j | Permission increases | Displays the number of file events where a user changed the permission of a file in your cloud service from private to public. |
| k | Size | Displays total file size for all exposure events in the selected timeframe. Does not include Google file types such as Google Docs or Google Sheets. |
| l | Investigate in Forensic Search |
Opens Forensic Search. Forensic Search is pre-populated with the selected timeframe and exposure type. Learn more about using Forensic Search. |
| m | View event details |
Click to see more details about the file activity and to search by a particular user's activity in Forensic Search.
Displays the number of users who interacted with the file within 5 minutes of when it was made public. This could include the user who changed the permissions or a user who interacted with the file shortly after the permission change. |
Users
From the Cloud sharing over time graph, click the Users column to see the file activity broken out by user. You can then see more file details for each user.
| Item | Description | |
|---|---|---|
| a | User |
Displays the cloud actor name of users who interacted with a file within five minutes of when it was made public. This could include the user who changed the permissions or a user who interacted with the file shortly after the permission change. |
| b | Permission increases |
Displays the number of file events where a user changed the permission of a file in your cloud service from private to public.
Note: File events where a file was moved to a cloud sync folder are not included. See Synced to Cloud Service on the Endpoint activity over time graph. |
| c | Size | Displays total file size for all exposure events in the selected timeframe. For the Cloud sharing over time tile, this value does not include Google file types such as Google Docs or Google Sheets. |
| d | Investigate in Forensic Search |
Click to see the search results for this user in Forensic Search. |
| e | View event details |
Click to view the employee's file events broken down by destination and file category group. |
File event details
On the Risk Exposure dashboard, click a point on either graph to see more details about that file activity.
| Item | Description | |
|---|---|---|
| a | File activity summary | Displays a summary of the file activity, including the timeframe of events, the type of exfiltration activity, and the number of users involved. |
| b | User | Displays the Code42 usernames or cloud actor names of users involved with the file events. Click any Code42 username to open their User Profile. (Only available from the Endpoint activity over time graph). |
| c | Events | Shows the number of file events for each user in the timeframe selected. |
| d | Total size of files |
Displays total file size for all exposure events in the selected timeframe.
For the Cloud sharing over time tile, this value does not include Google file types such as Google Docs or Google Sheets. |
| e |
Exfiltration details
(On removable media and Synced to cloud service only) |
Displays additional details about the file events for that particular type of exfiltration:
Removable media vendor preview
If vendor details do not appear in this view, you can still view them in Forensic Search. The removable media vendor is not available in this view for file events that occurred prior to August 12, 2020. For example, you may see vendor details when looking at the last 7 days of file events, but if you switch to 90 days and that view includes file events that occurred before August 12, 2020, those details will not be available in this view. Instead, click Investigate in Forensic Search to see those details. |
| f | View profile (Endpoint activity over time only) |
Opens the User Profile page for the user. |
| g | Investigate in Forensic Search  |
Click to see the search results for this user in Forensic Search. |
Related topics
- Manage Code42 network traffic for remote employees
- Review unusual file activity with the Risk Exposure dashboard
- Enable endpoint monitoring for file exfiltration detection
- Enable File Metadata Collection (formerly Forensic File Search)
- Departing Employees reference
- High Risk Employees reference
- Endpoint dashboard reference