User Activity and Activity Notifications reference

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

Overview

This article describes how to use the User Activity and Activity Notifications sections of the Code42 console to detect and analyze potential file exfiltration activity throughout your organization.

Access requirements

Endpoint monitoring must be enabled in your Code42 environment.

Permissions for Investigation access
The Customer Cloud Admin role includes access to the Investigation section of the Code42 console automatically. To grant access to a user with a different role, assign the Security Center User role.

If file exfiltration detection is included in your product plan but you can’t access the Investigation section of the Code42 console, go to My Profile to ensure you have the required permissions. Contact our Customer Champions for support if you do not have the necessary role or permissions.

User Activity

User Activity functionality varies based on your product plan
The User Activity screen may appear as the User Profile page if your product plan supports it. For more information about the enhanced functionality of the User Profile, see the User Profile reference.

Search for user activity

To begin a user search:

Sign in to the Code42 console.
Select Investigation > User Activity.

Advanced search options
If you are licensed for File Metadata Collection with the endpoint data source, user activity for Cloud Folders, Removable Media, and Application Activity is also available via the Investigation > Forensic Search section of the Code42 console.

Exposure filters in Forensic Search introduce more advanced search options, and also display some file activity details in the Code42 console that were previously only available via CSV export. For more details, see the Forensic Search reference guide.

User Activity search

Item		Description
a	Username	Enter the username of the user to search.
b	Dates	Specifies the start and end dates of the search query. Select Most Current to select the current date. The start and end dates must be no more than 62 days apart.
c	Search	Submits the search and returns the activity results.

User activity results

View summaries and charts for the following endpoint monitoring event types:

Cloud Folders
Removable Media
Files Restored
Application Activity

User_activity_results

Item		Description
a	User Details	Lists details about the user, including the user's organization, number of devices, and if the user is included in an activity profile.
b	Activity Profile	If the user is included in an activity profile, the profile name displays here. Click the name for menu options to view details of the profile or remove the user from the profile. If the user is not included in an activity profile, a link to Add to a Profile appears.
c	Action menu	Displays the option to Export CSV, which downloads a CSV file containing line item details for the activities summarized in the search results.
d	Dates	Specifies the start and end dates of the search query. Select different dates to update the results. The start and end dates must be no more than 62 days apart.
e	Activity summary	Indicates the number of files and total size of files for each event type. Each event type also includes a chart below with more details.
f	Cloud Folders	Number and size of files transferred to cloud services, including Box, Box Drive (Mac only), Dropbox, Google Drive, Google Backup and Sync, iCloud, and OneDrive. Blue indicates added files Green indicates modified files Google replaced Google Drive with Backup and Sync, but results for previous Google Drive activity still appear.
g	Action menu	Displays the option to export a CSV file with line-item details of the activity summarized in the chart.
h	Removable Media	Number and size of files transferred to removable media, such as USB drives, external hard drives, memory cards, etc. Blue indicates added files Green indicates modified files
i	Files Restored	Number and size of files restored from the Code42 app. Applies only to Code42 environments where file restore detection was enabled prior to January 29, 2020.
j	Application Activity	Number and size of files opened in an app that is commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl. This may also include other instances of applications accessing a file, such as opening a local file to view it in a web browser without actually uploading it. Considerations for previous Code42 app versions Devices using Code42 app versions older than 6.9.0 only monitored activity in web browsers, and only on Windows devices. Version 6.9.0 expands upload and download detection to include Macs as well as other applications, such as Slack, FileZilla, FTP, and cURL. Devices using Code42 app version 6.7.1 and later report upload and download activity separately. Older versions of the Code42 app do not differentiate between upload and download activity, so all browser activity is reported as "Open (undefined)."

Export CSV

When exporting results to a CSV file, you can select which types of detection events to include. The exported file contains extensive activity details, including timestamps and numerous user and device details.

Export_User_Activity_CSV

Item	Description
Device Appeared	Includes detection of storage devices that are connected to the user's device.
Device Disappeared	Includes detection of storage devices that are disconnected from the user's device.
Device File Activity	Includes detection of file creation, modification, or deletion on connected devices.
Device Scan Result	Includes scanning of files on connected devices for the following types of events: Files moved to removable media devices Files created on removable media devices Files modified on removable media devices
Personal Cloud File Activity	Includes detection of file activity in a personal cloud.
Personal Cloud Scan Result	Includes scanning of personal cloud drives.
Restore Job	Includes detection of restore activity.
Restore File	Includes detection of restored files.
Application Activity	Includes detection of files accessed by web browsers and other applications (for example, uploading attachments to web-based email or downloading files via FTP). This may also include other instances of applications accessing a file, such as opening a local file to view it in a web browser without actually uploading it. Devices using Code42 app versions older than 6.9.0 only monitored activity in web browsers, and only on Windows devices.
Cancel	Cancels the export.
Export	Downloads the CSV file of the exported data.

CSV export field descriptions

All event timestamps are based on the time and date provided by the user's device, which are then converted to Coordinated Universal Time (UTC).
No single event contains values for every column. The CSV export includes columns for all possible event types, so individual events report null for items that don't apply.

Preserve data types and number formats
In some spreadsheet applications, including Microsoft Excel, opening the CSV file may default to displaying long numbers in scientific notation format (for example, 6.60805E+17). See Import CSV reports to Microsoft Excel for steps to correct this formatting.

Field	Description
eventType	Indicates the type of detection event. DEVICE_APPEARED: Removable media connected to the user's device. DEVICE_DISAPPEARED: Removable media disconnected from the user's device. DEVICE_SCAN_RESULT: If removable media scanning is enabled, an event is created for each file on the removable media each time it is connected. (Removable media scanning is off by default.) These events provide a snapshot of the files on the drive at the time it was connected. PERSONAL_CLOUD_SCAN_RESULT: If cloud folder scanning is enabled, an event is created for each file in the cloud folder stored locally on the user's device. (Cloud folder scanning is off by default.) These events provide a snapshot of the files in the cloud folder at the time of the scan. DEVICE_FILE_ACTIVITY: Describes the type of file activity on removable media. Possible values are Create, Modify, and Delete. PERSONAL_CLOUD_FILE_ACTIVITY: Describes the type of file activity in folders stored locally on the user's device used for syncing with cloud services. Possible values are Create, Modify, and Delete. RESTORE_JOB: Indicates the beginning or end of a restore event. For example, if a user restores three files, there will be five rows in the CSV: the starting RESTORE_JOB event, three RESTORE_FILE events, and the ending RESTORE_JOB event. RESTORE_FILE: Indicates the file was restored from the backup archive. FILE_OPENED: Indicates a file was opened in an app commonly used for uploading and downloading files, such as a web browser, Slack, AirDrop, FTP client, or curl.
formattedTimestamp	Coordinated Universal Time (UTC) timestamp of when the event was processed. In most cases, this is the time the event was sent to the Code42 cloud, but if a network connection is unavailable or something else prevents the device from sending the event, this time represents the first attempt to send the event. This time may differ slightly from the formattedDetectionTimestamp (see below), which indicates when the user's device initially observed the event.
deviceGuid	Code42's Globally Unique Identifier (GUID) of the device which recorded the event.
userUid	Code42's unique identifier of the user who owns the device which recorded the event.
OSUser	The signed-in user at the time the event was detected, as reported by the device's operating system.
deviceAddress	Internal IP address and port of the device which recorded the event at the time the event was recorded.
deviceRemoteAddress	External IP address and port of the device which recorded the event at the time the event was recorded.
version	The Code42 internal version number of the data structure used for this CSV file. In most cases, this is of limited use, but newer versions may include additional columns.
busType	The type of connection that attaches this device to the computer. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT.
vendorName	The name of the vendor of this device. This value is not provided for all devices, so may be `null` in some cases. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT events.
deviceName	The name of the device. This value is not provided by all devices, so may be `null` in some cases. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT events.
serialNumber	The serial number of the connected hardware, as reported by the device's operating system. This value is not provided by all devices, so it may be `null` in some cases. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT.
capacity	The total capacity of the device in bytes. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT events.
mediaName	The media name of the device, as reported by the vendor/device. This is usually very similar to the `productName`, but can vary based on the type of device. For example, if the device is a hard drive in a USB enclosure, this may be the combination of the drive model and the enclosure model. This value is not provided by all devices, so it may be null in some cases. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT. Only available for events captured by Code42 app version 7.2.0 and later.
volumeName	The name assigned to the volume when it was formatted, as reported by the device's operating system. This is also frequently called the "partition" name. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT. Only available for events captured by Code42 app version 7.2.0 and later.
partitionGuid	A unique identifier assigned to the volume/partition when it was formatted. Windows devices refer to this as the `VolumeGuid`. On Mac devices, this is the `Disk / Partition UUID`, which appears when running the Terminal command `diskUtil info`. Included for DEVICE_APPEARED, DEVICE_DISAPPEARED, DEVICE_FILE_ACTIVITY, and DEVICE_SCAN_RESULT. Only available for events captured by Code42 app version 7.2.0 and later.
productName	The name of the cloud service associated with the event (for example, Box, Google Drive, etc.). Included for PERSONAL_CLOUD_FILE_ACTIVITY and PERSONAL_CLOUD_SCAN_RESULT events.
dataLocation	The local file path on the user's device of the cloud sync folder (for example, C:\Users\Clyde\Documents\Dropbox). Included for PERSONAL_CLOUD_FILE_ACTIVITY and PERSONAL_CLOUD_SCAN_RESULT events.
processName	The name of the process that triggered this event. Included for FILE_OPENED events. On Mac devices, AirDrop activity is indicated by the process name /usr/libexec/sharingd.
processOwner	The username of the process owner. Included for FILE_OPENED events.
restoreId	Code42's unique identifier of the restore job. Included for RESTORE_JOB and RESTORE_FILE events. Use this ID to identify groups of files restored at the same time.
restoreType	Type of the restore. Included for RESTORE_JOB events. Possible values: PUSH: Restore was initiated from the Code42 console and files were restored via the Code42 app on the target device. CLIENT: Restore was initiated from the Code42 app on the device and files were restored to that device. WEB: Restore was initiated from the Code42 console and files were restored via .zip file download.
status	Status of the restore. Included for RESTORE_JOB events. Possible values: CANCELED: Used to identify a RESTORE_JOB that stopped before completion. COMPLETED: Used to identify the RESTORE_JOB record at the end of the restore session. STARTED: Used to identify the RESTORE_JOB record at the beginning of the restore session.
requestingUserId	Code42's unique identifier of the user who initiated the file restore. Included for RESTORE_JOB events.
sourceGuid	Code42's Globally Unique Identifier (GUID) of the device that originally backed up the files being restored. Included for RESTORE_JOB events.
targetGuid	Code42's Globally Unique Identifier (GUID) of the device to which files are being restored. Included for RESTORE_JOB events.
nodeGuid	Code42's Globally Unique Identifier (GUID) of the storage destination containing the files being restored. Included for RESTORE_JOB events.
formattedCompletedDate	Coordinated Universal Time (UTC) timestamp of when the restore job completed successfully. Included for RESTORE_JOB events.
formattedStartDate	Coordinated Universal Time (UTC) timestamp of when the restore job started. Included for RESTORE_JOB events.
totalBytes	The total number of bytes restored. Included for RESTORE_JOB events.
totalFiles	The total number of files restored. Included for RESTORE_JOB events.
problemCount	The number of problems found when restoring. Included for RESTORE_JOB events.
failedChecksumCount	The number of failed checksums found when restoring. Included for RESTORE_JOB events.
fileName	The name of the file.
fullPath	The full path of the file, including the filename. The path separators are determined by the operating system on the device that generated the event. For example, "/" on Mac and "\" on Windows.
fileEventType	The type of event that occurred to this file. Possible values: CREATE: Indicates the file was created. Applies to DEVICE_FILE_ACTIVITY and PERSONAL_CLOUD_FILE_ACTIVITY events. DELETE: Indicates the file was deleted. Applies to DEVICE_FILE_ACTIVITY and PERSONAL_CLOUD_FILE_ACTIVITY events. MODIFY: Indicates the file was modified. Applies to DEVICE_FILE_ACTIVITY and PERSONAL_CLOUD_FILE_ACTIVITY events. SCAN: Indicates the file was identified during a removable media scan or cloud folder scan. Applies to DEVICE_SCAN_RESULT and PERSONAL_CLOUD_SCAN_RESULT events. OPEN: Indicates a file was opened by a web browser. Applies to FILE_OPENED events captured on devices using Code42 app version 6.7.0 and earlier. Devices using Code42 app version 6.7.1 and later report upload and download activity separately as either fileEventType DOWNLOAD and UPLOAD. DOWNLOAD: Indicates the file was downloaded by an app commonly used for transferring files, such as a web browser, Slack, AirDrop, FTP client, or curl. Applies to FILE_OPENED events. UPLOAD: Indicates the file was uploaded by an app commonly used for transferring files, such as a web browser, Slack, AirDrop, FTP client, or curl. Applies to FILE_OPENED events. RESTORE: Indicates the file was restored. Applies to RESTORE_FILE events.
fileType	Indicates the type of file observed in this event. The most common values are: FILE: Indicates the event applies to a file DIR: Indicates the event applies to a directory SYSMLINK: Indicates the event applies to symlink (also called a symoblic link or soft link) Under very rare circumstances, it may also be possible to see the following values: UNKNOWN, WIN_NDS (named data stream), MAC_RSRC (Mac resource fork), FIFO (a named pipe), BLOCK_DEVICE, CHAR_DEVICE,SOCKET, BUNDLE
length	Size in bytes of the file.
formattedLastModified	Coordinated Universal Time (UTC) timestamp of when the file was last modified. This timestamp is updated when either file metadata or file contents change. In Linux filesystems, this is also know as the `cTime`.
md5	The MD5 hash of the file.
sha256	The SHA256 hash of the file.
mimeType	The file's MIME type, based on both file extension and file content.
formattedDetectionTimestamp	Coordinated Universal Time (UTC) timestamp of when the file activity occurred. This timestamp most closely aligns with the time the file event actually occurred on the device.
formattedContentChangeTimestamp	Coordinated Universal Time (UTC) timestamp of when content of the file was last changed. In Linux filesystems, this is also know as the `mTime`. This may be different from the `lastModified` timestamp, which is also updated when only file metadata changes.
formattedCreateTimestamp	Coordinated Universal Time (UTC) timestamp of when the file was created.
fileOwnerUsername	The name of the user who owns the file, as reported by the device's operating system.
restoreSuccessful	Indicates if a file was restored successfully. Only applies to RESTORE_FILE events. TRUE = File restore was successful FALSE = File restore was unsuccessful

Deprecated columns
Previous versions of the CSV export contained additional fields that are no longer exported.

All Unix epoch timestamp columns were removed because the corresponding "formatted" timestamp columns provide the same information in a more user-friendly format. Affected columns: timestamp, lastModified, detectionTimestamp, contentChangeTimestamp, createTimestamp, startDate, completedDate.
Total count columns relevant only to viewing the data in JSON format were removed because the fields do not apply to the CSV format. Affected columns: totalNum, totalBytes, addedNum, addedBytes, modifiedNum, modifiedBytes, deletedNum, deletedBytes, downloadedNum, downloadedBytes, uploadedNum, uploadedBytes, openedNum, openedBytes.

Activity Notifications

Activity Notifications functionality varies based on your product plan
If your product plan includes advanced alerting criteria, Activity Notifications profiles are replaced by Alerts. To continue receiving notifications, you must migrate any existing profiles to new alert rules. See Migrate Activity Notification profiles to alerts.

If your product plan includes advanced alerting criteria and you do not have any existing profiles, this article doesn't apply to you. See Create and manage alerts for details on how to set up alerts that notify you of suspicious file activity.

With activity notifications, administrators can monitor file activity for specific high-risk users and receive an email notification when suspicious activity occurs. See Configure activity profiles for additional information.

Not available in the Code42 federal environment
Activity notifications are not available in the Code42 federal environment. Instead, use Alerts to create alert rules that automatically notify you of suspicious file activity.

Activity profile list

To view the list of activity profiles, select Investigation > Activity Notifications.

Activity Notifications profile list

Item		Description
a	Create New Profile	Displays options to create a new activity profile.
b	Report Name	List of activity profile names.
c	Date Modified	Indicates last date the profile was modified.
d	Total Number of Users	Indicates number of users in the profile.
e	Activity profile list	List of activity profiles. Select a row to view activity profile details. Select the checkbox next to the profile for the option to delete the profile.

Activity profile details

To view details for an activity profile, go to Investigation > Activity Notifications and click the row of the profile you want to view.

Activity profile details

Item		Description
a	Activity profile name	Indicates the profile name.
b	Profile details	Includes details about the activity profile: Last modified: Date the profile was last modified. Modified by: Username of the person to last modify the profile. Number of users: Total number of users being monitored by the profile. Created on: Date the profile was initially created. Created by: Username of the person who created the profile. Recipient: Email address of the person who receives notifications when a user in the profile exceeds an activity threshold. Scan frequency: Determines how soon the email recipient is notified. Total file size: The total size of files in megabytes (MB) a user must move to generate a notification. Number of files: The total number of files a user must move to generate a notification. File locations: Lists which file activities (removable media and cloud services file transfers) are being monitored by the profile.
c	Action menu	Provides options to Edit This Profile and Delete This Profile.
d	Add User	Displays the Add User screen.
e	Select users	Click to select users for removal from the profile.
f	Username	Name of the user.
g	Organization	The user's organization.
h	Added by	Username of the person who added this user to the activity profile.
i	Added on	Date the user was added to the activity profile.
j	Status	Active: The user's endpoint is being monitored. Conflict: The user's endpoint is not being monitored, most likely because of conflicting configuration of the organization and activity profile.
k	Last file activity	Most recent date and time any activity being monitored in this profile was detected, even if it did not exceed the threshold required to send a notification. If the user has never performed the activity being monitored in this profile (for example, never moved a single file to removable media), the field displays Never.
l	Last security notification	Most recent date and time security events were detected that exceeded the limits set in the activity profile. An email notification was also sent to the "Recipient" listed above at this time. If the user's activity has never exceeded the limits set in the activity profile, the field displays Never.

Create New Activity Profile

To create a new activity profile, go to Investigation > Activity Notifications and click Create New Profile.

Create New Activity Profile

Item		Description
a	Profile name	The name of the activity profile, which appears in the list of profiles on the Activity Notifications screen. You can change the name at any time.
b	Notification Recipient	The email address of the person to receive notifications when a user exceeds a file activity threshold. Email notifications are limited to a single address.
c	Scan Frequency	The options range from 2 to 24 hours. The frequency determines how soon the email recipient is notified. For example, selecting Within 2 hours of detection generates an email if a user exceeds a file activity threshold within the previous two-hour period.
d	Removable Media	Select Removable Media to monitor file-transfer activity to USB drives, external hard drives, memory cards, etc.
e	Cloud Services	Select the cloud services you want to monitor for file-transfer activity. Activity profiles monitor the installed desktop apps for Box, Box Drive (Mac only), Dropbox, Google Backup and Sync, Apple iCloud, and Microsoft OneDrive. Activity profiles do not monitor file uploads and downloads.
f	Total file size	Defines the total size of files in megabytes (MB) a user must move to trigger a notification.
g	Ignore file size	Select to ignore file size and only monitor file count in this profile. You cannot exclude both file size and file count.
h	Total file count	Defines the total number of files a user must move to generate a notification.
i	Ignore file count	Select to ignore file count and only monitor file size in this profile. You cannot exclude both file size and file count.
j	Cancel	Cancels creation of the new activity profile.
k	Save	Creates the activity profile.

Add User

To view the Add User screen:

Select Investigation > Activity Notifications.
Select a profile from the list.
Select Add User.

Add user

Item		Description
a	Enter username	Enter usernames to search your Code42 environment.
b	User suggestions	When you start typing in the search box, suggestions appear. Click a username to add to the profile.
c	Included users	Lists all users to be added to the profile.
d	Remove user	Removes the user from the list of users to be included in the profile.
e	Cancel	Exits the Add User screen without adding any new users.
f	Add Users	Adds all selected users to the profile.

Video

Watch the video below for an overview of file exfiltration detection. For more videos, visit the Code42 University.

Overview

Access requirements

User Activity

Search for user activity

User activity results

Export CSV

CSV export field descriptions

Activity Notifications

Activity profile list

Activity profile details

Create New Activity Profile

Add User

Video

Related topics