Skip to main content
Contact Support

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Other available versions:

Versions 6 and 7Link: What version am I on?

Code42 Support

Configure activity profiles

  1. Last updated
  2. Save as PDF

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Other available versions:

Versions 6 and 7Link: What version am I on?

Overview

Code42's file exfiltration detection capabilities enable security teams to monitor file activity for specific high-risk users and receive an email notification when suspicious activity occurs, which helps provide insight into potential exfiltration threats.

To get started, define file activity thresholds in an activity profile. Activity profiles use data from Code42's endpoint monitoring to generate an email notification when a user exceeds a defined threshold for:

  • Transferring files to removable media
  • Interacting with cloud services (including Box, Dropbox, Google Backup and Sync, iCloud, and OneDrive)
Activity Notifications functionality varies based on your product plan
If you have the Code42 Platinum or Diamond product plan, Activity Notifications profiles are replaced by Alerts. To continue receiving notifications, you must migrate any existing profiles to new alert rules. See Migrate Activity Notification profiles to alerts.

If you do not have any existing profiles, this article doesn't apply to you. See Create and manage alerts for details on how to set up alerts that notify you of suspicious file activity.

Before you begin

Permissions for Investigation access
The Customer Cloud Admin role includes access to the Investigation section of the administration console automatically. To grant access to a user with a different role, assign the Security Center User role.  

If file exfiltration detection is included in your product plan but you can’t access the Investigation section of the administration console, go to My Profile to ensure you have the required permissions. Contact our Customer Champions for support if you do not have the necessary role or permissions.

Create an activity profile

An activity profile defines specific thresholds for the number or total size of files moved to removable media or cloud services.

  1. Sign in to the administration console.
  2. Select Investigation > Activity Notifications.
  3. Select Create New Profile.
  4. Enter a name.
    The name appears in the list of profiles on the Activity Notifications screen. You can change the name at any time.
  5. Enter the email address of the person to receive notifications. Email notifications are limited to a single address.
  6. Select the scan frequency. The frequency determines how often records are scanned and the email recipient notified. For example, selecting Every 2 hours generates an email if a user exceeds a file activity threshold within a two-hour period.
  7. Choose the file activities to be included in the profile.
    • Removable Media: Monitors file transfer activity to USB drives, external hard drives, memory cards, etc.
    • Cloud Services: Monitors file transfer activity for the Box, Box Drive (Mac only), Dropbox, Google Backup and Sync, Apple iCloud, and Microsoft OneDrive apps installed on user devices.
  8. Define Total file size, Total file count, or both threshold values. Notification occurs if either value is exceeded. You can choose to ignore either file size or file count as a criteria, but you cannot ignore both. These values, combined with the email frequency defined above, define if and when a notification is sent.
    • Total file size: Defines the total size of files in megabytes (MB) a user must move to generate a notification.
    • Total file count: Defines the total number of files a user must move to generate a notification.
  9. Click Save.
    The new activity profile appears with the option to add users.

Create activity profile

Add users to an activity profile

  1. Sign in to the administration console.
  2. Select Investigation > Activity Notifications.
  3. Select a profile from the list.
  4. Select Add User.
  5. Starting typing a username. Select a username from the list of suggestions to add that user to the profile. Repeat this step to add multiple users.
    The user is added to the Included Users section.
  6. Click Add Users.

Add users to activity profile

Considerations for adding users

  • Only add users who you know or suspect to be a risk. For example, users with access to highly sensitive data, or departing employees. Activity profiles are not intended to monitor all users at all times.
  • To reduce potential unwanted email notifications, test each activity profile by only adding a few users at first to make sure the thresholds do not generate too many notifications.
  • A user can only belong to one activity profile.
  • If you add a user from an organization that does not have endpoint monitoring enabled, an error message appears. See Conflict detected in endpoint monitoring settings and activity profile for more details.

Remove users from an activity profile

  1. Sign in to the administration console.
  2. Select Investigation > Activity Notifications.
  3. Select a profile from the list.
  4. Select one or more users.
  5. Select Remove User.
  6. Review the confirmation message and select Yes, Remove.

Remove user from activity profile

Edit an existing activity profile

  1. Sign in to the administration console.
  2. Select Investigation > Activity Notifications.
  3. Select a profile from the list.
  4. From the action menu action menu icon, select Edit This Profile.
  5. Change activity profile settings as necessary.
  6. Click Save.


Select the gear menu to edit an activity profile

Delete an activity profile

  1. Sign in to the administration console.
  2. Select Investigation > Activity Notifications.
  3. Select a profile from the list.
  4. Select Delete Profile.
  5. Review the confirmation message and select Yes, Delete.

Delete an activity profile

Considerations for deleting an activity profile

You cannot delete an activity profile if it contains users from organizations you do not manage. If you receive an error message when trying to delete a profile, see Error deleting activity profile

Video

Watch the video below for an overview of file exfiltration detection. For more videos, visit the Code42 University