Skip to main content

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premisesLink: What version am I on?

Code42 Support

Enable endpoint monitoring for file exfiltration detection

Who is this article for?

Code42 for Enterprise
CrashPlan for Small Business

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premisesLink: What version am I on?


Endpoint monitoring uses the Code42 app to capture file activity on user devices in real time, helping you track user behavior to identify potential insider threats.

  • Code42's file exfiltration detection captures file activity anywhere on a user's device, not just within the user's backup file selection, related to removable media, cloud services, and uploads and downloads via web browsers and other applications.
  • File Metadata Collection captures all file activity on a device, which enables you to search file metadata to gain a clearer understanding of file activity throughout the organization.


Watch the video below to learn how to enable file exfiltration detection.

Watch the video below for an overview of file exfiltration detection.

For more videos, visit the Code42 University

Endpoint monitoring types

Enabling endpoint monitoring in your Code42 environment allows you to detect the following categories of potential file exfiltration activity:

  • Removable media: Monitors file activity on removable media, such as USB drives or SD cards.
  • Cloud Sync Applications: Monitors file activity in folders on the device used for syncing with cloud services, including Box, Box Drive (Mac only), Dropbox, Google Backup and Sync, Apple iCloud, and Microsoft OneDrive. Windows and Mac only.
  • Browser and other Application Activity: Identifies files opened in apps commonly used for uploading and downloading files, such as a web browser, Slack, AirDrop, FTP client, or curl. Windows and Mac only.
  • Printers: Identifies files sent to printers. Mac and Linux only.
  • File Metadata Collection: Provides visibility into all file activity by collecting detailed metadata for all files on user devices, in cloud services (Google Drive and Microsoft OneDrive), and in email providers (Microsoft Office 365 and Gmail). See our Forensic Search reference guide for more details.


  • Code42 recommends only enabling endpoint monitoring in a small, test organization at first. If your Code42 environment contains more than 5,000 users, contact your Customer Success Manager (CSM) for assistance creating a deployment strategy.
  • If Compliance Settings are activated for an organization, you cannot enable endpoint monitoring for that organization or any of its child organizations that inherit settings. Parent and sibling organizations are not affected.
Google Drive File Stream activity not detected by endpoint monitoring
Google's Drive File Stream retrieves files by mounting a temporary internal drive partition on the user's device and streaming files to the temporary drive. The Code42 app only monitors file movement to external drives, so it does not detect this activity.

Before you begin

  1. Ensure your Code42 environment meets the following requirements:
  2. Create a test organization, and then add a small number of test users to use in the steps below for initial endpoint monitoring testing. Alternatively, use the Change Organization command to move a small number of existing users into the test organization.

Enable endpoint monitoring for file exfiltration detection

Step 1: Lock archive encryption key settings

Endpoint monitoring requires standard archive encryption. Before enabling endpoint monitoring for an organization, you must lock the Archive Encryption Key setting to prevent users or administrators from changing it later.

Disabled inheritance
If you disable inheritance for an organization, that organization is not affected by changes to its parent organization.
  1. Sign in to the Code42 console.
  2. Go to Organizations > Active.
  3. Select an organization.
  4. From the action menu, select Device Backup Defaults.
  5. In the General section, deselect Use device defaults from parent.
  6. Select the Security tab.
  7. In the Archive Encryption Key section:
    1. Deselect Use default archive encryption key setting.
    2. Verify that Standard is selected.
    3. Click the Lock icon to prevent users from changing this setting.
    4. Review the confirmation message and click OK.
  8. Click Save.

Step 2: Enable endpoint monitoring for organizations

Start with a test organization
Code42 recommends enabling endpoint monitoring in a test organization first to ensure settings are properly configured to capture the user activity you want to monitor. Once you see the desired results with a small number of users, then start enabling endpoint monitoring one organization at a time.
  1. Sign in to the Code42 console.
  2. Select Organizations > Active.
  3. Select an organization.
  4. From the action menu, select Edit.
  5. Select Endpoint Monitoring.
  6. Deselect Inherit settings from parent, if necessary.
  7. Select one or more detection types to enable them.
  8. Click Save to immediately apply your changes to all devices in this organization and all of its inheriting child organizations.
Code42 requires macOS permissions to detect file upload destinations 
If you enable Browser and other Application Activity detection, you must take action to grant Code42 permission on Mac devices to detect the window title and URL active at the time a file is uploaded. For details, follow the steps in Grant Code42 permissions to macOS devices.

Endpoint Monitoring settings

Optional configuration steps

Advanced settings
The steps below are optional configuration settings, and are not required to start capturing file activity. If you want to configure any of these items to override the Code42 defaults, click the + icon next to each step for detailed instructions.

Step 3: Enable automatic file scan for removable media

Step 4: Exclude paths from monitoring

Step 5: Enable automatic file scanning of all cloud folder contents

Review file activity

Details of monitored exfiltration activity are available in both the Investigation section of the Code42 console and in the Code42 app for Splunk.

Advanced search options
If you are licensed for File Metadata Collection with the endpoint data source, user activity for Cloud Folders, Removable Media, and Application Activity is also available via the Investigation > Forensic Search section of the Code42 console.

Exposure filters in Forensic Search introduce more advanced search options, and also display some file activity details in the Code42 console that were previously only available via CSV export. For more details, see the Forensic Search reference guide

From the Code42 console

  1. Sign in to the Code42 console.
  2. Select Investigation > User Activity.
  3. Enter a username.
  4. Enter a date range.
  5. Click Search.
  6. Review the Activity Results.
  7. For more details, select the action menu in the upper-right of any chart and select Export CSV. The exported file contains extensive details about the file activity. 

Permissions for Investigation access
The Customer Cloud Admin role includes access to the Investigation section of the Code42 console automatically. To grant access to a user with a different role, assign the Security Center User role.  

If file exfiltration detection is included in your product plan but you can’t access the Investigation section of the Code42 console, go to My Profile to ensure you have the required permissions. Contact our Customer Champions for support if you do not have the necessary role or permissions.

In the Code42 app for Splunk

Install the Code42 app for Splunk to gain access to dashboards and other detailed information about file exfiltration activity in your Code42 environment.

For more information on Splunk, including their free trial that can be used with the Code42 app for Splunk, see Splunk's documentation.