Configure activity profiles
Who is this article for?
CrashPlan for Small Business, no.
Code42 for Enterprise, yes.
Link: Product plans and features.
Overview
Code42's file exfiltration detection capabilities enable security teams to monitor file activity for specific high-risk users and receive an email notification when suspicious activity occurs, which helps provide insight into potential exfiltration threats.
To get started, define file activity thresholds in an activity profile. Activity profiles use data from Code42's endpoint monitoring to generate an email notification when a user exceeds a defined threshold for:
- Transferring files to removable media
- Interacting with cloud services (including Box, Dropbox, Google Backup and Sync, iCloud, and OneDrive)
Before you begin
- Activity notifications and profiles are not available in the Code42 federal environment. Instead, use Alerts to create alert rules that automatically notify you of suspicious file activity.
- Enable endpoint monitoring for the organizations you want to monitor.
- Ensure user devices in those organizations meet the Code42 app version requirements for endpoint monitoring.
Create an activity profile
An activity profile defines specific thresholds for the number or total size of files moved to removable media or cloud services.
- Sign in to the Code42 console.
- Select Investigation > Activity Notifications.
- Select Create New Profile.
- Enter a name.
The name appears in the list of profiles on the Activity Notifications screen. You can change the name at any time. - Enter the email address of the person to receive notifications. Email notifications are limited to a single address.
- Select the scan frequency. The frequency determines how often records are scanned and the email recipient notified. For example, selecting Every 2 hours generates an email if a user exceeds a file activity threshold within a two-hour period.
- Choose the file activities to be included in the profile.
- Removable Media: Monitors file transfer activity to USB drives, external hard drives, memory cards, etc.
- Cloud Services: Monitors file transfer activity for the Box, Box Drive (Mac only), Dropbox, Google Backup and Sync, Apple iCloud, and Microsoft OneDrive apps installed on user devices.
- Define Total file size, Total file count, or both threshold values. Notification occurs if either value is exceeded. You can choose to ignore either file size or file count as a criteria, but you cannot ignore both. These values, combined with the email frequency defined above, define if and when a notification is sent.
- Total file size: Defines the total size of files in megabytes (MB) a user must move to generate a notification.
- Total file count: Defines the total number of files a user must move to generate a notification.
- Click Save.
The new activity profile appears with the option to add users.
Add users to an activity profile
- Sign in to the Code42 console.
- Select Investigation > Activity Notifications.
- Select a profile from the list.
- Select Add User.
- Starting typing a username. Select a username from the list of suggestions to add that user to the profile. Repeat this step to add multiple users.
The user is added to the Included Users section. - Click Add Users.
Considerations for adding users
- Only add users who you know or suspect to be a risk. For example, users with access to highly sensitive data, or departing employees. Activity profiles are not intended to monitor all users at all times.
- To reduce potential unwanted email notifications, test each activity profile by only adding a few users at first to make sure the thresholds do not generate too many notifications.
- A user can only belong to one activity profile.
- If you add a user from an organization that does not have endpoint monitoring enabled, an error message appears. See Conflict detected in endpoint monitoring settings and activity profile for more details.
Remove users from an activity profile
- Sign in to the Code42 console.
- Select Investigation > Activity Notifications.
- Select a profile from the list.
- Select one or more users.
- Select Remove User.
- Review the confirmation message and select Yes, Remove.
Edit an existing activity profile
- Sign in to the Code42 console.
- Select Investigation > Activity Notifications.
- Select a profile from the list.
- From the action menu
, select Edit This Profile. - Change activity profile settings as necessary.
- Click Save.
Delete an activity profile
- Sign in to the Code42 console.
- Select Investigation > Activity Notifications.
- Select a profile from the list.
- Select Delete Profile.
- Review the confirmation message and select Yes, Delete.
Considerations for deleting an activity profile
You cannot delete an activity profile if it contains users from organizations you do not manage. If you receive an error message when trying to delete a profile, see Error deleting activity profile.
Video
Watch the video below for an overview of file exfiltration detection. For more videos, visit the Code42 University.