Skip to main content

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Enable File Metadata Collection (formerly Forensic File Search)

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

File metadata collection is a powerful detection tool which provides detailed visibility for Code42 administrators about:

  • All files on user devices
  • Files stored in cloud services
  • Files sent as email attachments in Microsoft Office 365 and Gmail
  • File activity occurring outside a user's normal active hours

This tutorial explains how to enable File Metadata Collection in your Code42 environment so you can start using Code42 to detect and respond to insider threats.

Video

Watch the short video below to learn more about how Code42 collects file event data.

Before you begin

Step 1: Enable File Metadata Collection

Start with a test organization
We recommend enabling File Metadata Collection in a small, test organization at first. This helps ensure user devices and search results are performing as expected. Once you see the desired results with a small number of users, then enable File Metadata Collection for additional organizations.

If your Code42 environment contains more than 5,000 users, Code42 recommends contacting your Customer Success Manager (CSM) for assistance creating a deployment strategy.
  1. Sign in to the Code42 console as a user with either the Customer Cloud Admin or Security Center User role.
  2. Select Organizations > Active.
  3. Select an organization.
  4. From the action menu in the upper-right, select Edit.
  5. Select Endpoint Monitoring.
  6. Select File Metadata Collection.
    Within five minutes of enabling, devices start scanning existing files and sending file metadata to Code42. It may take up to 15 minutes for events to appear in search results. For more details, see Initial file metadata collection scan FAQs.
  7. Click Save.

Endpoint Monitoring Settings

Reduce CPU use during the initial scan
If you are deploying to devices with limited processing power or want to minimize Code42's CPU usage during the initial scan, see our steps for limiting CPU usage.
Disabling and re-enabling may cause duplicate endpoint events
If you disable and then re-enable the File Metadata Collection setting, the file scan on the device starts over. This may cause duplicate endpoint file events and/or cause file events that were queued for processing at the time the setting is disabled to be lost.

If you have already disabled and re-enabled File Metadata Collection, you can reduce duplicate search results by only searching for events that occurred after the date and time File Metadata Collection was last enabled. 

Video

Watch the short video below for a demonstration of how to enable File Metadata Collection for an organization. 

Step 2 (Optional): Add cloud and email data sources

If your product plan includes additional cloud or email data sources (for example, Google Drive, Microsoft OneDrive, Gmail, or Microsoft Office 365 email), you must authorize Code42 to access this data. For instructions, see Introduction to adding data sources.

Video

Watch the short video below to learn how to enable File Metadata Collection for Google Drive.

Next steps

  • Was this article helpful?