Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

User Profile reference

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

When you select Investigation > User Activity and enter a user's name, the User Profile page displays. From the User Profile, you can review the file activity of employees, helping you to:

  • Quickly identify suspicious file movement
  • Review endpoint and cloud services activity
  • See file activity for the previous 90 days

This article describes the information and options in the User Profile.

Video

Watch the video below to learn how to review the file activity of a specific user. For other videos in this series, see our Training course: Detecting risk with Code42 Incydr. For more videos, visit the Code42 University.

Considerations

  • Add Trusted Domains in Data Preferences to hide file events that occur on domains you trust. Adding trusted domains helps focus your investigation on file activity that may be a higher risk. File activity on a specific domain is only considered trusted starting the date the domain was added. You can view all file activity, including events that occur on your trusted domains, in Forensic Search.

  • To work with user profiles, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for investigating suspicious file activity.
Differences in file event counts
File events for Forensic Search and Alerts appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.
User Activity functionality varies based on your product plan
The User Profile is only available if your product plan supports it. Depending on your product plan, you may instead see the User Activity page. For more information about User Activity, see User Activity and Activity Notifications reference.

User Profile

To access a user profile:

  1. Sign in to the Code42 console.
  2. Select Investigation > User Activity.
  3. Enter the Code42 username for the employee whose activity you want to view. 
  4. Click Search
    The User Profile displays.
User Profile versus Departing Employees or High Risk Employees
If you search for a user that has been added to the Departing Employees or High Risk Employees list, their Departing Employees or High Risk Employees User Profile appears. The Departing Employees list and High Risk Employees list profiles have a blue indicator by the employee name at the top of the page and include additional information such as the employee's departure date, risk factors, and user profile notes.  

Employee information

Employee information on the User Profile

Displays a summary of the employee's information, including:

  • Name
  • Department* 
  • Title*
  • Location*
  • Manager*
  • Employee's Code42 username
  • Employee's cloud aliases (not shown in image)
  • Departure Date (Departing Employees list only)
  • Risk Factors (High Risk Employees list only)
  • User Profile Notes (Departing Employees list and High Risk Employees list only)

*Displays this information If your Code42 environment uses provisioning. (If you use Code42 User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. If you use Azure AD provisioning, the attributes are automatically populated. You must first add the attributes if you use Okta provisioning or PingOne provisioning. ) If you don't use provisioning, this information does not appear and cannot be added manually. If user attributes are not populated correctly, see Updated user attributes not populating in risk detection lists.

Endpoint activity

The Endpoint activity tab is only available if your product plan supports it.

Endpoint activity tab

Item Description
a Endpoint activity Shows file activity that occurred on the endpoint by destination and by file category group. File activity includes when files are added to a cloud sync folder on the device, opened in a browser or other app, or moved to an external device.
b Cloud sharing Shows file activity that occurred when a user changed the permission of a file in your cloud service from private to public. 
c

Last

(on User Profile only)

Select last 90 Days30 Days7 Days, or 1 Day to update the timeframe shown.
d Cloud services Shows the cloud services provider that the file was synced to. Click a summary bar of data to see the file activity broken down by file category group.
e Browser or app 

Click to see the number of file events that indicate files were uploaded to a browser or an app such as Slack, AirDrop, FTP client, or curl. File category groups appear on the left. The selected filter is highlighted in blue.

 

Hover over a summary bar of data to see a preview of these files broken down by file category.

f Removable media

Click to see the number of file events that indicate files were moved to removable media, such as a USB drive. File category groups appear on the left. The selected filter is highlighted in blue.

 

Hover over a summary bar of data to see a preview of these files broken down by file category. Click View event details to see removable media devices broken down by vendor and bus type

g By file category group

Shows the summary of file activity for the following file categories:

  • Business Documents
    • Documents
    • PDF
    • Presentations
    • Spreadsheets
  • Zip Files
    Common archive file formats including compressed files.
  • Source Code
    Common source code formats.
  • Multimedia 
    • Audio
    • Image
    • Video
  • Other
    • Executable
    • Script
    • Uncategorized (files that did not fit any category)
    • Virtual Disk Image

For more information about file categories, see Forensic Search file categories.

 

h Forensic Search iconInvestigate in Forensic Search

Click to see the search results for these files in Forensic Search.

i View event details View event details Click to view the employee's file events broken down by file category group. 

 

Cloud sharing

The Cloud sharing tab is only available if your product plan supports it.

Cloud sharing events

Item Description
a Endpoint activity Shows file activity that occurred on the endpoint such as when files are added to a cloud sync folder on the device, opened in a browser or other app, or moved to an external device
b Cloud sharing Shows file activity that occurred when a user changed the permission of a file in your cloud service from private to public. Shows file activity by cloud service and file category group. 

Note: To see cloud sharing activity, you must allow Code42 access to your cloud services
c Last Select last 90 Days30 Days7 Days, or 1 Day to update the timeframe shown.
d Cloud service

Shows the cloud service in which files were made publicly available or shared via direct link. Cloud services include Box, Google, or Microsoft OneDrive.

e Permission increases Shows the number of file events where a user changed the permission of a file in your cloud service from private to public. 
f File category group

Shows the summary of file activity for the following file categories:

  • Business Documents
    • Documents
    • PDF
    • Presentations
    • Spreadsheets
  • Zip Files
    Common archive file formats including compressed files.
  • Source Code
    Common source code formats.
  • Multimedia 
    • Audio
    • Image
    • Video
  • Other
    • Executable
    • Script
    • Uncategorized (files that did not fit any category)
    • Virtual Disk Image

For more information about file categories, see Forensic Search file categories.

g Forensic Search iconInvestigate in Forensic Search

Click to see the search results for these files in Forensic Search.

h View event details View event details Click to view the employee's file events broken down by destination.

Endpoint activity over time

This section displays file activity on the user's device, which helps identify suspicious file activity and potential file exfiltration.

Endpoint activity over time graph

Item Description
a Last

Select last 90 Days30 Days7 Days, or 1 Day to update the timeframe on the graph. Click Refresh graph indicator to refresh the graph and show the latest data.

b Activity type Indicates the type of activity displayed in the graph.
c Summary preview

Click a point on the graph to see a summary of that data point organized by file category group. 

d Risk indicators

Highlights file activity that has added risk. For more information about risk indicators, see Introduction to risk indicators.

 

File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents. For example, a file with the .jpg extension that is actually a .zip file.

 

Off hours - Indicates file activity that occurred outside the employee’s typical active hours. With File Metadata Collection enabled, Code42 captures file activity from an employee’s endpoint and uses that pattern of activity to highlight file activity that occurs during times a user is typically inactive (their off hours).

Off Hours requires File Metadata Collection
You must have File Metadata Collection enabled in order to see the Off Hours indicator. 
Off Hours appears only on the Endpoint File Activity graph
While the File Mismatch indicator is shown on both the Endpoint File Activity and Cloud File Activity graphs for corresponding activity, the Off Hours indicator appears only on the Endpoint File Activity graph. Cloud services are not currently monitored for activity that occurs during off hours. 
e Forensic Search icon Forensic Search icon

Click to see the search results for these files in Forensic Search.

f Graph

Provides a visual representation of file activity for the selected timeframe.

  • Hover on a point in the graph to see a preview of the activity.
  • Click a point on the graph to see the summary preview of that data point. 
g Show activity for

Select one of the following options to view the graph of that activity:

  • On removable media: Shows a graph of file activity on removable media, such as a USB drive.
  • Synced to cloud service: Shows a graph of activity where files were added to folders on a user's device that are typically used to sync to a cloud service. 
  • Read by browser or other app: Shows a graph of activity where files were opened by a browser or an app commonly used for uploading files, such as Slack, AirDrop, FTP client, or curl.
  • Deleted files: Shows a graph of activity where files are added to the following locations: $Recycle.Bin, .local/share/Trash, and .Trash. 
  • Zip files: Shows a graph of activity for common archive file formats, including compressed files (.zip, .tar).

Cloud sharing over time

This section displays file activity for files in cloud services. It shows when a file is made publicly available. 

Cloud sharing over time

Item Description
a Last 

Select last 90 Days30 Days7 Days, or 1 Day to update the timeframe on the graph. Click Refresh graph indicator to refresh the graph and show the latest data.

b Activity type Indicates the type of activity displayed in the graph.
c Summary preview

Click a point on the graph to see a summary of that data point organized by file category group. 

d Risk Indicators

Highlights file activity that has added risk.

 

File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents, for example, a file with the .jpg extension that is actually a .zip file.

 

For more information about risk indicators, see Introduction to risk indicators.

e Forensic Search iconForensic Search icon

Click to see the search results for these files in Forensic Search.

f Graph

Provides a visual representation of file activity for the selected timeframe.

  • Hover on a point in the graph to see a preview of the activity.
  • Click a point on the graph to see the summary preview of that data point. 

g Show activity for

Select one of the following options to view the graph of that activity:

  • Public on the web (Google Drive): Shows files in Google Drive that were made public.
  • Public via direct link (Google Drive): Shows files that were shared from Google Drive with a direct link.
  • Public via direct link (OneDrive): Shows files that were shared from OneDrive with a direct link.
  • Public via direct link (Box): Shows files that were shared from Box with a direct link.
  • Zip files: Shows a graph of activity for common archive file formats, including compressed files (.zip, .tar).

 

h Permission increases Shows the number of file events where a user changed the permission of a file in your cloud service from private to public. 
  • Was this article helpful?