File Metadata Collection exclusions
Who is this article for?
Incydr, yes.
CrashPlan for Enterprise, no.
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Overview
This article explains how to use the Code42 API to define a list of file types and file paths to exclude from File Metadata Collection monitoring. This helps ensure user devices don't spend resources indexing file metadata for files you're not interested in monitoring. It also helps simplify Forensic Search results by reducing irrelevant or unimportant file events.
The examples in this article use curl, but the concepts apply to any tool you choose for interacting with the Code42 API.
Considerations
- Exclusions must be defined in regular expression (regex) format.
- Exclusions apply to all users and organizations in your Code42 environment.
- You must have credentials for a Code42 user with the Customer Cloud Admin, Org Admin, or Cross Org Admin role. An Org Admin must be an administrator of the top-level organization.
API request details
- Request URL
- United States:
- If you sign in to the Code42 console at https://console.us.code42.com/console, use:
https://console.us.code42.com/api/ - If you sign in to the Code42 console at https://www.crashplan.com/console, use:
https://www.crashplan.com/api/ - If you sign in to the Code42 console for the Code42 federal environment at https://console.gov.code42.com/console, use:
https://console.gov.code42.com/api/
- If you sign in to the Code42 console at https://console.us.code42.com/console, use:
- Ireland: https://console.ie.code42.com/api/
- United States:
- Resource:
OrgSettings
- Key:
device_fileForensics_fileExclusions_org
- Methods:
GET
to view existing exclusions;PUT
to add or update exclusions - API documentation
- United States:
- Ireland: https://console.ie.code42.com/apidocviewer/#OrgSetting
View and update exclusions
Step 1: Find your top-level OrgID
To view and edit exclusions, you must first identify your top-level organization's numeric ID:
- Sign in to the Code42 console.
- Select Administration > Environment > Organizations.
- Select your top-level organization. This organization is at the top of the organizational hierarchy and is the parent for all other organizations.
- In the web browser's address bar, note the numeric ID in the URL after "organization" but before any query or token parameters. In this example, the OrgID is 123456: https://console.us.code42.com/console/#/organization/123456?t=78910
Step 2: View existing exclusions
Use the GET
method to view existing exclusions. The OrgSettings
resource also contains keys for numerous other Code42 settings. Therefore, to view only the exclusions, you must include the device_fileForensics_fileExclusions_org
key as a query parameter.
The example below assumes basic familiarity with curl commands. Use this as a template to create a command specific to your Code42 environment:
curl -X GET \ '<request_url>
/api/OrgSettings/<OrgID>
?keys=device_fileForensics_fileExclusions_org' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -u 'username
'
- Replace
<request_url>
with the address of your Code42 environment (do not include the brackets in your request). - Replace
<OrgID>
with the number identified in Step 1 above (do not include the brackets in your request). - Replace
username
with your Code42 username. - Execute the curl command in your command-line tool of choice. When prompted, enter your password.
The Code42 API returns the existing exclusions. If no exclusions exist yet, thedata
object in the response is empty.
Step 3: Update or add new exclusions
Use the PUT
method to add or modify exclusions. Before sending any updates, make sure to complete Step 2 above to obtain the list of existing exclusions.
The
OrgSettings
API resource does not automatically add to existing values. All PUT
requests completely replace existing values. Therefore, to add to existing exclusions, you must first obtain a list of current exclusions and re-submit that entire list with your new additions.The steps below assume basic familiarity with curl commands. Use the following example as a template to create a command specific to your Code42 environment.
curl -X PUT \ '<request_url>
/api/OrgSettings/<OrgID>
' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -u 'username
' \ -d '{ "packets": [ { "key": "device_fileForensics_fileExclusions_org", "value": { "all":[ "'\''.*cache.*'\''" ], "macintosh":[ "'\''.*.db'\''" ], "windows":[ "'\''.*.etl'\''", "'\''.*/AppData/.*'\''" ] }, "locked": true } ] }'
- Replace
<request_url>
with the address of your Code42 environment (do not include the brackets in your request). - Replace
<OrgID>
with the number identified in Step 1 above (do not include the brackets in your request). - Replace
username
with your Code42 username. - Define exclusions with regex for each operating system in use in your Code42 environment. Defining specific exclusions for each operating system minimizes the resources required on user devices. In this example:
- All devices will exclude files with the .cache extension
- Mac devices will exclude files with the .db extension
- Windows devices will exclude files with the .etl extension
- Windows devices will exclude the AppData directory
- Execute the curl command in your command-line tool of choice. When prompted, enter your password.
A 204 No Content response indicates the Code42 cloud received the request and applied the exclusions to user devices.
Delete all exclusions
Use the DELETE
method to remove all exclusions. To prevent inadvertent removal of other system settings, you must include the device_fileForensics_fileExclusions_org
keys as a query parameter.
To test this request, submit it first as a
GET
request and make sure the response includes only the device_fileForensics_fileExclusions_org
key. Then resubmit it as a DELETE
request.The
OrgSetting
resource also contains keys for numerous other Code42 settings. Therefore, it is very important to list the correct key as a query parameter in the request URL. Failure to specify only the device_fileForensics_fileExclusions_org
key will cause other system settings to be deleted by this request.The example below assumes basic familiarity with curl commands. Use this as a template to create a curl command specific to your Code42 environment:
curl -X DELETE \ '<request_url>
/api/OrgSettings/<OrgID>
?keys=device_fileForensics_fileExclusions_org' \ -H 'cache-control: no-cache' \ -H 'content-type: application/json' \ -u 'username
'
- Replace
<request_url>
with the address of your Code42 environment (do not include the brackets in your request). - Replace
<OrgID>
with the number identified in Step 1 above (do not include the brackets in your request). - Replace
usernamed
with your Code42 username. - Execute the curl command in your command-line tool of choice. When prompted, enter your password.
A 204 No Content response indicates the Code42 cloud received the request and deleted all exclusions.
External resources
- Curl: Command line tool and library reference
- Wikipedia: Regular expressions (regex)