Skip to main content

This article applies to Cloud.

Other available versions:

Version 6icon.qnmark.png

Available in:

Small Business
Forensic File Search

Code42 Support

Best practices for defending against insider threat

This article applies to Cloud.

Other available versions:

Version 6icon.qnmark.png

Available in:

Small Business
Forensic File Search


An insider threat is a potential for harm coming from people within an organization, such as employees, former employees, contractors, or business associates. An insider threat can compromise an organization's data, computer systems, or security, and the threat itself might be theft of information, fraud, or sabotage.

This article provides best practices for Code42 administrators to follow in order to to most effectively monitor for insider threat activities and respond to incidents.


Monitor insider threat activity

A key part of a robust insider threat response program is monitoring for insider threat activity.

Code42's File Exfiltration Detection provides monitoring tools that give you visibility into activity often associated with malicious insider behavior, such as unauthorized file movement. After setup, monitoring operates in the background and provides alerts to notify you when suspicious activity occurs.

The following Code42 features help you monitor and view insider threat activity:

Endpoint monitoring

Endpoint monitoring uses the Code42 app to capture file activity on each device in real time, helping you identify five types of potential data leaks or security problems:

  • Removable media
  • Personal cloud
  • Application activity (file upload and download)
  • Restore
  • Pattern matching

Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. Pattern matching, however, only applies to files included in the user's backup file selection.

You can visualize the data collected by endpoint monitoring in two ways:

  • Sign in to the Security Center to view basic information from endpoint monitoring in a web browser.
  • Install the Code42 app for Splunk to visualize detailed endpoint monitoring data as part of a larger Splunk installation.

See Endpoint monitoring for additional information.

User activity

User activity searches for users' security events detected by endpoint monitoring. The report can help you identify and visualize potential data leaks. You can also export the results to a CSV file for analysis or archiving.

See Security Center reference for additional information.

Activity notifications

Use activity notifications to monitor file activity detected by endpoint monitoring for specific high-risk users and receive an email notification when suspicious activity occurs.

See Configure activity profiles in Security Center for additional information.

Code42 app for Splunk

If your organization has Splunk Enterprise or Spunk Cloud, use the Code42 app for Splunk to visualize detailed endpoint monitoring data in the security dashboards. The Code42 app for Splunk has separate dashboards for monitoring removable media, cloud services, file restore, and file upload.

See Install and manage the Code42 app for Splunk for additional information.

Respond to an insider threat incident

When an insider threat incident occurs, you need to move quickly to identify the actors involved and the files compromised. The following Code42 features help you respond to an insider threat incident:

Forensic File Search

In the event of an insider threat incident, Forensic File Search provides detailed visibility for Code42 administrators about files on user devices, including files not selected for backup. Using Forensic File Search, administrators can search file metadata to gain a clearer understanding of file activity throughout the organization.

Forensic File Search helps you to quickly answer questions such as:

  • Is there file activity that looks like malicious activity?
  • Is there evidence of covering up malicious activity?
  • Who in my organization has, or previously had, a specific file?

Forensic File Search reports on file events detected by Code42. A file event is any activity observed for a file. For example, creating, modifying, renaming, moving, or deleting a file generates an event for that file. Events are reported for both user and system actions. Search results return file events for all organizations in your Code42 environment.

See Configure Forensic File Search and Forensic File Search use cases for additional information.

Access Lock

If a user is identified as an insider threat, Access Lock enables administrators to lock the user's Windows device, thereby preventing unauthorized access. Locking the device prevents access to all content on the device (not just the files selected for backup). Access Lock leverages Microsoft's BitLocker technology to lock all drives connected to the device with a new key. Once a device is locked, it is completely inaccessible without the new recovery key to unlock it. The data on the device is retained and can be used to further investigate the threat.  

See Access Lock for additional information. 

Legal Hold web app

If file activity is identified as coming from an insider threat, files involved in that activity, and their history, can be collected and held for legal action using Code42's Legal Hold web app

File collection from a legal hold may be part of eDiscovery, the process of discovery in legal cases when the information is in electronic format. As part of the eDiscovery process, you may need to perform tasks such as the following in response to an insider threat incident:

  • Determine who has restored files from a particular organization and when the restores occurred. 
  • Search the logs stored on endpoint devices running the Code42 app.

See eDiscovery integration guide and Configure a legal hold for additional information.

Additional help

If you are new to Code42 for Enterprise, contact our sales team to get started.

If you already use Code42 for Enterprise, contact your Customer Success Manager (CSM) for enterprise support at for assistance with:

  • Licensing for Security Center or the Legal Hold web app.
  • How to configure your Code42 environment to best handle insider risk.