User Profile reference

Overview

When you select User Activity > All Users and enter a user's name, the User Profile page displays. From the User Profile, you can review the file activity of employees, helping you to:

Quickly identify suspicious file movement
Review endpoint and cloud services activity
See file activity for the previous 90 days

This article describes the information and options in the User Profile.

Video

Watch the video below to learn how to review the file activity of a specific user. For other videos in this series, see our Training course: Detecting risk with Code42 Incydr. For more videos, visit the Code42 University.

Considerations

Add Trusted Domains in Data Preferences to hide file events that occur on domains you trust. Adding trusted domains helps focus your investigation on file activity that may be a higher risk. File activity on a specific domain is only considered trusted starting the date the domain was added. You can view all file activity, including events that occur on your trusted domains, in Forensic Search.
To use this functionality, Incydr users must be assigned specific roles. For more information, see Roles for Incydr. To learn which permissions on Incydr roles allow use of this functionality, see Permissions for Incydr. If you use other Code42 products, see Role assignment use cases.

User Activity functionality varies based on your product plan
The User Profile is only available if your product plan supports it. Depending on your product plan, you may instead see the User Activity page. For more information about User Activity, see User Activity and Activity Notifications reference.

User Profile

To access a user profile:

Sign in to the Code42 console.
Select User Activity > All Users.
Enter the Code42 username for the employee whose activity you want to view.
Click Search.
The User Profile displays.

User Profile versus Departing Employees or High Risk Employees
If you search for a user that has been added to the Departing Employees or High Risk Employees list, their Departing Employees or High Risk Employees User Profile appears. The Departing Employees list and High Risk Employees list profiles have a blue indicator by the employee name at the top of the page and include additional information such as the employee's departure date, risk factors, and user profile notes.

Employee information

Employee information on the User Profile

Displays a summary of the employee's information, including:

Name
Department*
Title*
Location*
Manager*
Employee's Code42 username
Employee's cloud aliases (not shown in image)
Departure Date (Departing Employees list only)
Risk Factors (High Risk Employees list only)
User Profile Notes (Departing Employees list and High Risk Employees list only)

*Displays this information if your Code42 environment uses provisioning. (If you use Code42 User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. If you use Azure AD provisioning, the attributes are automatically populated. You must first add the attributes if you use Okta provisioning or PingOne provisioning. ) If you don't use provisioning, this information does not appear and cannot be added manually. If user attributes are not populated correctly, see Provision user attributes to Code42.

Destination activity over time

Destinations are dynamic
The list of destinations shown on each tab of this graph is dynamic. Only destinations with file activity are shown.

For example, if there is no Box file activity in the selected timeframe, or if you have not given Code42 access to your Box environment for monitoring, the Box destination is not listed.

Item		Description
a	All activity	Shows all endpoint and cloud service activity across your organization. (To see cloud service activity, give Code42 access to your cloud services.) File events include files: Moved to removable media or cloud sync folders Viewed in a browser or other app Shared publicly via direct link
b	Remote activity	Shows all remote file activity that occurred on an endpoint. File events can include files moved to removable media or cloud sync folders, or viewed in a browser or other app. When configured, remote activity is detected for endpoint events from out-of-network IP addresses. The Remote activity tab does not show cloud sharing events.
c	Destination	Displays the currently selected destination.
d	Choose destination	Select a destination to see where the file was sent. Destinations include: AirDrop: Files were sent to a device via AirDrop. The destination category for AirDrop events is listed as "Device" in the Exposure section of Forensic Search. Cloud destinations: The file was synced to a cloud service, shared publicly via direct link, or shared with specific users outside your trusted domains. Cloud sharing activity includes file activity from Box, Google Drive, and OneDrive and details how the file was shared (for example, public via direct link). Cloud folder sync activity (when a file exists in a folder on the device that is used for syncing with a cloud service) includes activity from: Apple iCloud Box Box Drive Dropbox Google Backup and Sync Google Drive Microsoft OneDrive Email services: The file was uploaded to an email provider via a web browser. Messaging services: The file was sent via a messaging service. Removable media: The file was moved to an external device such as a USB drive or hard drive. Click View event details to see file activity broken out by removable media device vendor. Social media: The file was uploaded to social media. This does not necessarily mean it's posted publicly; for example, the file could have been sent in a direct message on LinkedIn, etc. Source code repository: The file was uploaded to a location typically used for storing code files. Other: File activity where the destination does not match any of the above destinations, or in the following special cases: Files were opened in an app that is commonly used for uploading files such as FTP client or curl We cannot determine the destination. On Macs, this may indicate Code42 does not have the required permissions to collect the destination details. Multiple possibilities appears if the user accessed more than one tab while uploads were in progress. Review the Active tab titles and URLs to identify all possible destinations.
e	Events	Number of file events associated with the destination for the selected timeframe.
f	Events bar graph	Shows a visual representation of the number of file events.
g	Size	Total size of files involved with the file activity.
h	Activity preview	Shows a visual representation of file activity for the selected timeframe.
i	Risk indicators	Highlights file activity that has added risk. For more information about insider risk indicators, see Introduction to risk indicators . File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents. For example, a file with the .jpg extension that is actually a .zip file. Off hours - Indicates file activity that occurred outside the employee’s typical active hours. With File Metadata Collection enabled, Code42 captures file activity from an employee’s endpoint and uses that pattern of activity to highlight file activity that occurs during times a user is typically inactive (their off hours). Off Hours requires File Metadata Collection You must have File Metadata Collection enabled in order to see the Off Hours indicator. Off Hours appears only for endpoint activity While the File Mismatch indicator is shown for both the endpoint and cloud sharing file activity, the Off Hours indicator only appears on endpoint events. Cloud services are not currently monitored for activity that occurs during off hours.
j	Forensic Search	Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
k	View event details	Click to view the file events broken down by file category group.

File categories

Item		Description
a	Endpoint activity	Shows all endpoint file activity across your organization. File events include files moved to removable media or cloud sync folders, or viewed in a browser or other app.
b	Cloud sharing	Shows file activity where permissions were increased on a file in your cloud services, making the file shared publicly via direct link. This tab requires Code42 access to your cloud services.
c	File category group	Shows the summary of file activity for the following file categories: Business Documents Documents PDF Presentations Spreadsheets Zip Files Common archive file formats including compressed files. Source Code Common source code formats. Multimedia Audio Image Video Other Executable Script Uncategorized (files that did not fit any category) Virtual Disk Image For more information about file categories, see Forensic Search file categories.
d	Events	Displays the count of total file events for a file category group. The default sort order is from the highest number of events to the lowest.
e	Events bar graph	Shows a visual representation of the number of file events.
f	Size	Displays the total file size of file events for a file category group.
g	Activity preview	Shows a visual representation of file activity for the selected timeframe.
h	Forensic Search	Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
i	View event details	Click to view the details of file events for a file category group.