User Profile reference

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

When you select Investigation > User Activity and enter a user's name, the User Profile page displays. From the User Profile, you can review the file activity of employees, helping you to:

Quickly identify suspicious file movement
Review endpoint and cloud services activity
See file activity for the previous 90 days

This article describes the information and options in the User Profile.

Video

Watch the video below to learn how to review the file activity of a specific user. For other videos in this series, see our Training course: Detecting risk with Code42 Incydr. For more videos, visit the Code42 University.

Considerations

Add Trusted Domains in Data Preferences to hide file events that occur on domains you trust. Adding trusted domains helps focus your investigation on file activity that may be a higher risk. File activity on a specific domain is only considered trusted starting the date the domain was added. You can view all file activity, including events that occur on your trusted domains, in Forensic Search.
To work with user profiles, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for investigating suspicious file activity.

User Activity functionality varies based on your product plan
The User Profile is only available if your product plan supports it. Depending on your product plan, you may instead see the User Activity page. For more information about User Activity, see User Activity and Activity Notifications reference.

User Profile

To access a user profile:

Sign in to the Code42 console.
Select Investigation > User Activity.
Enter the Code42 username for the employee whose activity you want to view.
Click Search.
The User Profile displays.

User Profile versus Departing Employees or High Risk Employees
If you search for a user that has been added to the Departing Employees or High Risk Employees list, their Departing Employees or High Risk Employees User Profile appears. The Departing Employees list and High Risk Employees list profiles have a blue indicator by the employee name at the top of the page and include additional information such as the employee's departure date, risk factors, and user profile notes.

Employee information

Employee information on the User Profile

Displays a summary of the employee's information, including:

Name
Department*
Title*
Location*
Manager*
Employee's Code42 username
Employee's cloud aliases (not shown in image)
Departure Date (Departing Employees list only)
Risk Factors (High Risk Employees list only)
User Profile Notes (Departing Employees list and High Risk Employees list only)

*Displays this information If your Code42 environment uses provisioning. (If you use Code42 User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. If you use Azure AD provisioning, the attributes are automatically populated. You must first add the attributes if you use Okta provisioning or PingOne provisioning. ) If you don't use provisioning, this information does not appear and cannot be added manually. If user attributes are not populated correctly, see Updated user attributes not populating in risk detection lists.

Endpoint activity

The Endpoint activity tab is only available if your product plan supports it.

Item		Description
a	Endpoint activity	Shows file activity that occurred on the endpoint by destination and by file category group. File activity includes when files are added to a cloud sync folder on the device, opened in a browser or other app, or moved to an external device.
b	Cloud sharing	Shows file activity that occurred when a user changed the permission of a file in your cloud service from private to public.
c	Last (on User Profile only)	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe shown.
d	Cloud services	Shows the cloud services provider that the file was synced to. Click a summary bar of data to see the file activity broken down by file category group.
e	Browser or app	Click to see the number of file events that indicate files were uploaded to a browser or an app such as Slack, AirDrop, FTP client, or curl. File category groups appear on the left. The selected filter is highlighted in blue. Hover over a summary bar of data to see a preview of these files broken down by file category.
f	Removable media	Click to see the number of file events that indicate files were moved to removable media, such as a USB drive. File category groups appear on the left. The selected filter is highlighted in blue. Hover over a summary bar of data to see a preview of these files broken down by file category. Click View event details to see removable media devices broken down by vendor and bus type.
g	By file category group	Shows the summary of file activity for the following file categories: Business Documents Documents PDF Presentations Spreadsheets Zip Files Common archive file formats including compressed files. Source Code Common source code formats. Multimedia Audio Image Video Other Executable Script Uncategorized (files that did not fit any category) Virtual Disk Image For more information about file categories, see Forensic Search file categories.
h	Forensic Search icon	Click to see the search results for these files in Forensic Search.
i	View event details	Click to view the employee's file events broken down by file category group.

Cloud sharing

The Cloud sharing tab is only available if your product plan supports it.

Item		Description
a	Endpoint activity	Shows file activity that occurred on the endpoint such as when files are added to a cloud sync folder on the device, opened in a browser or other app, or moved to an external device
b	Cloud sharing	Shows file activity that occurred when a user changed the permission of a file in your cloud service from private to public. Shows file activity by cloud service and file category group. Note: To see cloud sharing activity, you must allow Code42 access to your cloud services.
c	Last	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe shown.
d	Cloud service	Shows the cloud service in which files were made publicly available or shared via direct link. Cloud services include Box, Google, or Microsoft OneDrive.
e	Permission increases	Shows the number of file events where a user changed the permission of a file in your cloud service from private to public.
f	File category group	Shows the summary of file activity for the following file categories: Business Documents Documents PDF Presentations Spreadsheets Zip Files Common archive file formats including compressed files. Source Code Common source code formats. Multimedia Audio Image Video Other Executable Script Uncategorized (files that did not fit any category) Virtual Disk Image For more information about file categories, see Forensic Search file categories.
g	Forensic Search icon	Click to see the search results for these files in Forensic Search.
h	View event details	Click to view the employee's file events broken down by destination.

Endpoint activity over time

This section displays file activity on the user's device, which helps identify suspicious file activity and potential file exfiltration.

Item		Description
a	Last	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe on the graph. Click to refresh the graph and show the latest data.
b	Activity type	Indicates the type of activity displayed in the graph.
c	Summary preview	Click a point on the graph to see a summary of that data point organized by file category group.
d	Risk indicators	Highlights file activity that has added risk. For more information about risk indicators, see Introduction to risk indicators. File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents. For example, a file with the .jpg extension that is actually a .zip file. Off hours - Indicates file activity that occurred outside the employee’s typical active hours. With File Metadata Collection enabled, Code42 captures file activity from an employee’s endpoint and uses that pattern of activity to highlight file activity that occurs during times a user is typically inactive (their off hours). Off Hours requires File Metadata Collection You must have File Metadata Collection enabled in order to see the Off Hours indicator. Off Hours appears only on the Endpoint File Activity graph While the File Mismatch indicator is shown on both the Endpoint File Activity and Cloud File Activity graphs for corresponding activity, the Off Hours indicator appears only on the Endpoint File Activity graph. Cloud services are not currently monitored for activity that occurs during off hours.
e	Forensic Search icon	Click to see the search results for these files in Forensic Search.
f	Graph	Provides a visual representation of file activity for the selected timeframe. Hover on a point in the graph to see a preview of the activity. Click a point on the graph to see the summary preview of that data point.
g	Show activity for	Select one of the following options to view the graph of that activity: On removable media: Shows a graph of file activity on removable media, such as a USB drive. Synced to cloud service: Shows a graph of activity where files were added to folders on a user's device that are typically used to sync to a cloud service. Read by browser or other app: Shows a graph of activity where files were opened by a browser or an app commonly used for uploading files, such as Slack, AirDrop, FTP client, or curl. Deleted files: Shows a graph of activity where files are added to the following locations: $Recycle.Bin, .local/share/Trash, and .Trash. Zip files: Shows a graph of activity for common archive file formats, including compressed files (.zip, .tar).

Cloud sharing over time

This section displays file activity for files in cloud services. It shows when a file is made publicly available.

Item		Description
a	Last	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe on the graph. Click to refresh the graph and show the latest data.
b	Activity type	Indicates the type of activity displayed in the graph.
c	Summary preview	Click a point on the graph to see a summary of that data point organized by file category group.
d	Risk Indicators	Highlights file activity that has added risk. File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents, for example, a file with the .jpg extension that is actually a .zip file. For more information about risk indicators, see Introduction to risk indicators.
e	Forensic Search icon	Click to see the search results for these files in Forensic Search.
f	Graph	Provides a visual representation of file activity for the selected timeframe. Hover on a point in the graph to see a preview of the activity. Click a point on the graph to see the summary preview of that data point.
g	Show activity for	Select one of the following options to view the graph of that activity: Public on the web (Google Drive): Shows files in Google Drive that were made public. Public via direct link (Google Drive): Shows files that were shared from Google Drive with a direct link. Public via direct link (OneDrive): Shows files that were shared from OneDrive with a direct link. Public via direct link (Box): Shows files that were shared from Box with a direct link. Zip files: Shows a graph of activity for common archive file formats, including compressed files (.zip, .tar).
h	Permission increases	Shows the number of file events where a user changed the permission of a file in your cloud service from private to public.