User Profile reference

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

Code42 for Enterprise

CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

When you select Investigation > User Activity and enter a user's name, the User Profile page displays. From the User Profile, you can review the file activity of employees, helping you to:

Quickly identify suspicious file movement
Review endpoint and cloud services activity
See file activity for the previous 90 days

This article describes the information and options in the User Profile.

Considerations

Add Trusted Domains in Data Preferences to filter out Read by browser or other app file events from domains you trust. Adding trusted domains helps focus your investigation on file activity that may be a higher risk. File activity on a specific domain is only considered trusted starting the date the domain was added.
To work with user profiles, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for adding users to detection lists.
This functionality requires a Code42 Platinum product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Platinum product plan for a free trial. If you don't know who your CSM is, email csmsupport@code42.com.

User Activity functionality varies based on your product plan
User Profile is only available if you have the Code42 Platinum product plan. If you have a different product plan, see User Activity and Activity Notifications reference.

User Profile

To access a user profile:

Sign in to the Code42 console.
Select Investigation > User Activity.
Enter the Code42 username for the employee whose activity you want to view.
Click Search.
The User Profile displays.

User Profile versus Departing Employees or High Risk Employees
If you search for a user that has been added to the Departing Employees or High Risk Employees list, their Departing Employees or High Risk Employees User Profile appears. The Departing Employees list and High Risk Employees list profiles have a blue indicator by the employee name at the top of the page and include additional information such as the employee's departure date, risk factors, and user profile notes.

Employee information

Employee information on the User Profile

Displays a summary of the employee's information, including:

Name
Department*
Title*
Location*
Manager*
Employee's Code42 username
Employee's cloud aliases (not shown in image)
Departure Date (Departing Employees list only)
Risk Factors (High Risk Employees list only)
User Profile Notes (Departing Employees list and High Risk Employees list only)

*Displays this information If your Code42 environment uses provisioning. (If you use Code42 User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the attributes if you use Okta provisioning or PingOne provisioning.) If you don't use provisioning, this information does not appear and cannot be added manually.

File activity by destination

Item		Description
a	Last (on User Profile only)	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe shown.
b	Cloud services	Shows the cloud services provider that the file was synced to. Click a summary bar of data to see the file activity broken down by file category group.
c	Browser or app	Click to see the number of file events that indicate files were uploaded to a browser or an app such as Slack, FTP client, or curl. File category groups appear on the left. The selected filter is highlighted in blue. Hover over a summary bar of data to see a preview of these files broken down by file category.
d	Removable media	Click to see the number of file events that indicate files were moved to removable media, such as a USB drive. File category groups appear on the left. The selected filter is highlighted in blue. Hover over a summary bar of data to see a preview of these files broken down by file category.
e	Forensic Search icon	Click to see the search results for these files in Forensic Search.
f	View event details	Click to view the employee's file events broken down by file category group.

File activity by file category group

Item		Description
a	Last	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe shown.
b	File category group	Shows the summary of file activity for the following file categories: Business Documents Documents PDF Presentations Spreadsheets Zip Files Common archive file formats including compressed files. Source Code Common source code formats. Multimedia Audio Image Video Other Executable Script Uncategorized (files that did not fit any category) Virtual Disk Image For more information about file categories, see Forensic Search file categories.
c	Forensic Search icon	Click to see the search results for these files in Forensic Search.
d	View event details	Click to view the employee's file events broken down by destination.

Endpoint File Activity

This section displays file activity on the user's device, which helps identify suspicious file activity and potential file exfiltration.

Item		Description
a	Last	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe on the graph. Click to refresh the graph and show the latest data.
b	Activity type	Indicates the type of activity displayed in the graph.
c	Summary preview	Click a point on the graph to see a summary of that data point organized by file category group.
d	Risk Indicators	Highlights file activity that has added risk. Off Hours - Indicates the file activity occurred outside the employee’s typical active hours. With only File Metadata Collection enabled, Code42 can capture file activity from an employee’s endpoint and use that pattern of activity to determine when an employee is typically inactive (their off hours). Using this behavioral pattern, we can then highlight when file activity doesn’t normally occur. It takes a few weeks of data to start identifying patterns, so you may not see these indicators initially. Due to the fluid nature of employee activity, the identified patterns can change over time when the employee’s behavior changes. Off Hours requires File Metadata Collection You must have File Metadata Collection enabled in order to see the Off Hours indicator. Off Hours appears only on the Endpoint File Activity graph While the File Mismatch indicator is shown on both the Endpoint File Activity and Cloud File Activity graphs for corresponding activity, the Off Hours indicator appears only on the Endpoint File Activity graph. Cloud services are not currently monitored for activity that occurs during off hours. File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents, for example, a file with the .jpg extension that contains source code content.
e	Forensic Search icon	Click to see the search results for these files in Forensic Search.
f	Graph	Provides a visual representation of file activity for the selected timeframe. Hover on a point in the graph to see a preview of the activity. Click a point on the graph to see the summary preview of that data point.
g	Show activity for	Select one of the following options to view the graph of that activity: On removable media: Shows a graph of file activity on removable media, such as a USB drive. Synced to cloud service: Shows a graph of activity where files were added to folders on a user's device that are typically used to sync to a cloud service. Read by browser or other app: Shows a graph of activity where files were opened by a browser or an app commonly used for uploading files, such as Slack, FTP client, or curl. Deleted files: Shows a graph of activity where files are added to the following locations: $Recycle.Bin, .local/share/Trash, and .Trash. Zip files: Shows a graph of activity for common archive file formats, including compressed files (.zip, .tar).

Cloud File Activity

This section displays file activity for files in cloud services. It shows when a file is made publicly accessible or shared via a direct link.

Item		Description
a	Last	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe on the graph. Click to refresh the graph and show the latest data.
b	Activity type	Indicates the type of activity displayed in the graph.
c	Summary preview	Click a point on the graph to see a summary of that data point organized by file category group.
d	Risk Indicators	Highlights file activity that has added risk. File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents, for example, a file with the .jpg extension that contains source code content.
e	Forensic Search icon	Click to see the search results for these files in Forensic Search.
f	Graph	Provides a visual representation of file activity for the selected timeframe. Hover on a point in the graph to see a preview of the activity. Click a point on the graph to see the summary preview of that data point.
g	Show activity for	Select one of the following options to view the graph of that activity: Public on the web (Google Drive): Shows files in Google Drive that were made public. Public via direct link (Google Drive): Shows files that were shared from Google Drive with a direct link. Public via direct link (OneDrive): Shows files that were shared from OneDrive with a direct link. Public via direct link (Box): Shows files that were shared from Box with a direct link. Zip files: Shows a graph of activity for common archive file formats, including compressed files (.zip, .tar).