Enable File Metadata Collection (formerly Forensic File Search)
Who is this article for?
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Overview
File metadata collection is a powerful detection tool which provides detailed visibility for Code42 administrators about:
- All files on user devices
- Files stored in cloud services
- Files sent as email attachments in Microsoft Office 365 and Gmail
- File activity occurring outside a user's normal active hours
This tutorial explains how to enable File Metadata Collection in your Code42 environment so you can start using Code42 to detect and respond to insider threats.
Video
Watch the short video below to learn more about how Code42 collects file event data.
Before you begin
- Create a test organization, and then add a small number of test users to use in the steps below for initial testing. Alternatively, use the Change Organization command to move a small number of existing users into the test organization.
- Your Code42 product plan must include File Metadata Collection. Contact your Customer Success Manager (CSM) for assistance with product plans. If you're not sure how to reach your CSM, email csmsupport@code42.com and we will connect you.
- The Code42 app must already be installed on user devices to collect endpoint file activity.
- File Metadata Collection can only be enabled in organizations that use Standard archive encryption. Archive key password and Custom key encryption are not supported.
Step 1: Enable File Metadata Collection
We recommend enabling File Metadata Collection in a small, test organization at first. This helps ensure user devices and search results are performing as expected. Once you see the desired results with a small number of users, then enable File Metadata Collection for additional organizations.
If your Code42 environment contains more than 5,000 users, Code42 recommends contacting your Customer Success Manager (CSM) for assistance creating a deployment strategy.
- Sign in to the Code42 console as a user with either the Customer Cloud Admin or Security Center User role.
- Select Organizations > Active.
- Select an organization.
- From the action menu in the upper-right, select Edit.
- Select Endpoint Monitoring.
- Select File Metadata Collection.
Within five minutes of enabling, devices start scanning existing files and sending file metadata to Code42. It may take up to 15 minutes for events to appear in search results. For more details, see Initial file metadata collection scan FAQs. - Click Save.
If you are deploying to devices with limited processing power or want to minimize Code42's CPU usage during the initial scan, see our steps for limiting CPU usage.
If you disable and then re-enable the File Metadata Collection setting, the file scan on the device starts over. This may cause duplicate endpoint file events and/or cause file events that were queued for processing at the time the setting is disabled to be lost.
If you have already disabled and re-enabled File Metadata Collection, you can reduce duplicate search results by only searching for events that occurred after the date and time File Metadata Collection was last enabled.
Video
Watch the short video below for a demonstration of how to enable File Metadata Collection for an organization.
Step 2 (Optional): Add cloud and email data sources
If your product plan includes additional cloud or email data sources (for example, Google Drive, Microsoft OneDrive, Gmail, or Microsoft Office 365 email), you must authorize Code42 to access this data. For instructions, see Introduction to adding data sources.
Video
Watch the short video below to learn how to enable File Metadata Collection for Google Drive.
Next steps
- To start searching, see Search file activity with Forensic Search.
- Review Forensic Search use cases for specific examples of the types of problems you can solve with Forensic File Search.