Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

How to use the Code42 Data Exposure dashboards for data loss protection

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Overview

The Code42 Data Exposure panel contains the Endpoint File Activity dashboards. This dashboard shows file activity from throughout your entire environment to help you catch data exposure or loss as soon as possible. This article gives examples of what you can do to investigate unusual activity that may appear in this dashboard. 

Considerations

  • You must have credentials for a Code42 user with either the Customer Cloud Admin or Security Center User role.
  • To see activity on the Data Exposure dashboards, you must enable Forensic File Search. Contact your Customer Success Manager (CSM) for enterprise support for assistance with licensing. If you don't know who your CSM is, email csmsupport@code42.com

Endpoint File Activity dashboard

On the Endpoint File Activity dashboard, you can select the following for investigation:

On Removable Media

Example use case

This graph tracks when users move files to another device, such as a USB drive. Your company policy is that users should use a cloud service, like OneDrive, to send files. So when you see a spike in activity in the graph, you decide to look in to which files are moved. 

Steps

To see which files have been moved off of the endpoint: 

  1. In the Endpoint File Activity dashboard, select On Removable Media.  
  2. (Optional) Click a point in the graph. 
    The file event details appears. 
  3. Click the Investigate icon icon.
    The Forensic File Search panel opens with the search configured for the selected timeframe and file exposure type. 
  4. (Optional) Add additional search filters. 
  5. Click Search.
  6. For each result, click the Expand file event details icon icon to expand the event details. 
  7. Note the Exposure section for each event. This lists details about files that were moved to removable media. 

Synced to Cloud Service

Example use case

This file activity type shows when files are placed in folders used to sync to cloud services. Your company uses Google Drive for your company cloud service, so you want to verify that users aren't syncing files to their personal cloud services.

Steps

To verify that files are only syncing to approved cloud services: 

  1. In the Endpoint File Activity dashboard, select Synced to a Cloud Service
  2. Click a point in the graph. 
    The file event details appear.
  3. Click the Investigate icon icon.
    The Forensic File Search panel opens with the search configured for the selected timeframe and file exposure type. 
  4. (Optional) Add additional search filters. 
  5. Click Search.
  6. For each result, click the Expand file event details icon icon to expand the event details. 
  7. Note the Exposure section for each event. The Sync Destination shows which cloud service the file was uploaded to.

Read by Browser or Other App

Example use case

This dashboard shows if a file was uploaded to a browser or an app such as Slack, FTP client, or curl. You see a large spike and want to investigate why one user uploaded a large amount of files. 

Steps

To investigate if the file movement is malicious, determine the files that were uploaded as well as which app was used to upload them:

  1. Click a point in the graph. 
    The file event details appear.
  2. Click the Investigate icon icon.
    The Forensic File Search panel opens with the search configured for the selected timeframe and file exposure type. 
  3. (Optional) Add additional search filters. 
  4. Click Search.
  5. For each result, click the Expand file event details icon icon to expand the event details. 
  6. Note the Executable name. This shows the path on disk of the executable that had access to the file. For example: \Device\Volume\Program Files\Google\Chrome\Application\chrome.exe