Skip to main content

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, no.

Incydr Basic, Advanced, and Gov F1, no.

CrashPlan Cloud, no.

Retired product plans, no.

CrashPlan for Small Business, no.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Enable endpoint monitoring and file metadata collection

template('Code42/AppliesTo', { 'crashplan_pro': false, 'code42_crashplan': true });

...

This tutorial explains how to enable endpoint monitoring and file metadata collection to capture user file activity so you can start using
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/ins/span, line 1, column 10
to Endpoint monitoring uses the
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/del[2]/span, line 1, column 10
to capture file activity on user devices in real time, helping you track user behavior to identify
detect and respond to insider riskspotential insider threats.
  • ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/ul/del[1]/span, line 1, column 10
    
    's file
    Endpoint monitoringexfiltration detection captures file activity anywhere on a user's device, not just within the user's backup file selection, including activity on removable media, in cloud sync folders, and uploads related to removable media, cloud services, and uploads and downloads via web browsers and other applications.
  • File metadata Metadata Collectioncollection captures all file activity on a device, which enables you to search file metadata to gain a clearer understanding of file activity throughout the organization.
Video Watch the short video below to learn how to enable endpoint monitoring. For more videos, visit the
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/del[5]/span, line 1, column 10
University
.

...

ConsiderationsEndpoint monitoring types

To enable endpoint monitoring and file metadata collectionEnabling endpoint monitoring in your
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/del/span, line 1, column 10
allows you to detect the following categories of potential file exfiltration activity
:
  • Removable media: Monitors file activity on removable media, such as USB drives or SD cards. Cloud Sync Applications: Monitors file activity in folders on the device used for syncing with cloud services, including Box, Box Drive (Mac only), Dropbox, Google Backup and Sync, Apple iCloud, and Microsoft OneDrive. Windows and Mac only. The Browser and other Application Activity: 
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/ins[2]/span, line 1, column 10
    
    must be installed for all users
    Identifies files opened in apps commonly used for uploading and downloading files, such as a web browser, Slack, AirDrop, FTP client, or curlWindows and Mac only. Printers: Per-user installationsIdentifies files sent to printers. are not supportedMac and Linux only.
  • Your File Metadata
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/a[2]/ins[1]/span, line 1, column 10
    
    Collection: 
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/a[2]/ins[2]/span, line 1, column 10
    
    Provides
     must includevisibility into all Endpoint monitoringfile activity by collecting detailed metadata for all files on user devices, in cloud services and (Google Drive and Microsoft OneDrive), and in email providers (Microsoft Office 365 and Gmail). See our 
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/del[12]/span, line 1, column 10
    
    for more details.
    Considerations File metadata collection
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/b/del/span, line 1, column 10
    
    recommends only enabling endpoint monitoring in a small, test organization at first
    . Contact If your
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/del[14]/span, line 1, column 10
    
    contains more than 5,000 users, contact
     your Customer Success Manager (CSM)  for assistance with
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/ins[7]/span, line 1, column 10
    
    s
    creating a deployment strategy. If Compliance Settings  If youare activated for an organization, you cannot enable endpoint monitoring for that organization or any of its child organizations that inherit settings. Parent and sibling organizations are not affected.
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/del[19]/span, line 1, column 10
    
    INTERNAL USE ONLY
    For example, given this org hierarchy: Root org Default Parent org School of Medicine org (Compliance Settings activated) Administration org Other org 're not Endpoint monitoring would not be available for the School of Medicine org (where Compliance Settings are activated). But endpoint monitoring would still be available for the Root, Default Parent, Administration, and Other organizations. sure wiki.page("Administrator/Cloud/Content_Library/Google_Drive_File_Stream_and_Endpoint_Monitoring", "Google Drive File Stream and Endpoint Monitoring") how to Before you begin reach your Ensure your
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/del[31]/span, line 1, column 10
    
    meets the following requirements:
    CSM,You must have a
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/span[1], line 1, column 10
    
     that includes file exfiltration detection.
  • Organizations must The
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[1]/ul/del[34]/span, line 1, column 10
    
    must be installed for all users.
     Per-user installations are not supported. use Users' archives must use the Standard archive encryption key policy for backup data.. Endpoint monitoring data cannot be collected for users with Archive key password andor Custom key encryption are not supportedarchive encryption.
  • Organizations usingEnable Compliance Settings cannot enable endpoint monitoring or file metadata collection.endpointmonitoringfor file exfiltration detection

Steps

...

Endpoint monitoring

and file metadata collection requirerequires standard archive encryption. Before enabling these settings, endpoint monitoring for an organization, you must lock the Archive Encryption Key setting to prevent users or administrators from changing it later.

...

Step 2: Enable endpoint monitoring and file metadata collectionfor organizations

Start with a test organization
We recommend enabling these settings in a small, test organization at first. This helps ensure user devices and activity monitoring and reporting are performing as expected
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[2]/div/div/del[1]/span, line 1, column 10
recommends enabling endpoint monitoring in a test organization first to ensure settings are properly configured to capture the user activity you want to monitor
.  Once you see the desired results with a small number of users, then enable endpoint monitoring and file metadata collection for additional organizations.start enabling endpoint monitoring one organization at

If your
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[2]/div/div/ins[3]/span, line 1, column 10
contains more than 5,000 users, contact your Customer Success Manager (CSM) for assistance creating a deployment strategy
atime.
  1. Sign in to the
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[2]/div/ol/li[1]/a/span, line 1, column 10
    
  2. as a user with either the Customer Cloud Admin or Security Center User role.
  3. Select Administration > Environment > Organizations.
  4. Select an organization.
  5. From the
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[2]/div/ol/li[4]/span, line 1, column 10
    
    , select Edit.
  6. Select Endpoint Monitoring.
  7. Deselect Inherit settings from parent, if necessary.
  8. Select Enable endpoint monitoringone or
  9. .
  10. Select allmore detection types. For more details, see 
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[2]/div/ol/ins[6]/span, line 1, column 10
    
    .
    • Click Removable media:Save Monitors file activity on removable media, such as USB drives or SD cards.to immediately apply your changes to all devices
    • Cloud Sync Applications:
    • Monitors file activity in folders on the device used for syncing with cloud servicesinthis organization and all of its inheriting child organizations.
    • Browser and other Application Activity: 
    • Identifies files opened in apps commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl.
      Code42 requires macOS permissions to detect file upload destinations 
      If you enable Browser and other Application Activity detection, you must take action to grant Code42 permission on Mac devices to detect the window title and URL active at the time a file is uploaded. For details, follow the steps in Grant Code42 permissions to macOS devices.
    • Printers: 
    • Identifies files sent to printers. Mac and Linux only.
    • File Metadata Collection: 
    • Provides visibility into all file activity by collecting detailed metadata for all files on user devices, and in supported cloud services and email providers.
  11. Click Save to immediately apply your changes to all devices in this organization and all of its inheriting child organizations.
    Within five minutes, devices start scanning files and sending file metadata to
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[2]/div/ol/em/ins/span[1], line 1, column 10
    
    . File events typically start appearing in
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[2]/div/ol/em/ins/span[2], line 1, column 10
    
     and Alerts within 15 minutes, while file events may take up to an hour to start appearing in the
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[2]/div/ol/em/ins/span[3], line 1, column 10
    
     dashboard and User Profiles. For more details, see
    ParseError: EOF expected (click for details)
    Callstack:
        at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[2]/div/ol/em/ins/span[4], line 1, column 10
    
    .

...

Next stepsOptional

Review file activity

ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[3]/div[1]/ins[1]/span, line 1, column 10
provides a variety of tools to review file activity, including dashboards, user profiles, alerts, detection lists, and advanced ad-hoc search capabilities. For more details about these tools, see our
guides for capturing and reviewing suspicious activity.

Add cloud and email data connections (optional)

If your
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[3]/div[2]/ins/span[1], line 1, column 10
 includes additional cloud or email data sources (for example, Google Drive, Microsoft OneDrive, Gmail, or Microsoft Office 365 email), you must authorize
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[3]/div[2]/ins/span[2], line 1, column 10
to access this data. For instructions, see 
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[3]/div[2]/ins/span[3], line 1, column 10
, or watch the short video below.

...

Advanced configuration steps

...

Step 3: Enable automatic file scan for removable media

Step 4: Exclude paths from monitoring

...

Step 5: Enable automatic file scanning of all cloud folder contents

...

Next steps: Review file activity The
ParseError: EOF expected (click for details)
Callstack:
    at (Article_Update_Log/2021-07-01/Enable_endpoint_monitoring_and_file_metadata_collection), /content/body/div[3]/div[3]/div[3]/del[2]/span, line 1, column 10
provides a variety of tools to review file activity, including dashboards, user profiles, and advanced ad-hoc search capabilities. For more details about these tools, see our
guide for reviewing suspicious activity.

...

Other changes:

  1. /body/ul/li[2]/a/@href:
  2. "/Administrator/Cloud/Monitoring_and_managing/Forensic_Search_use_cases""/Administrator/Cloud/Monitoring_and_managing/Search_file_activity_with_Forensic_Search"
  3. /body/ul/li[2]/a/@title:
  4. "Forensic File Search use cases""Search file activity with Forensic Search"
  5. /body/ol[2]/li/a/@href:
  6. "/Administrator/6/Code42_console_reference/01_Code42_console_overview""/Administrator/Cloud/Code42_console_reference/01_Code42_console_overview"
  7. /body/ol[2]/li/a/@title:
  8. "Administrator/6/Administration_Console_Reference/01_Administration_Console_Overview""Administrator/Cloud/Administration_Console_Reference/01_Administration_Console_Overview"
  9. /body/p[4]/img/@alt:
  10. "Org_Settings_Endpoint_Monitoring""Organization Settings Endpoint Monitoring"
  11. /body/div[7]/p[2]/a/@title:
  12. "File Metadata Collection exclusions (formerly Forensic File Search)""File Metadata Collection exclusions"
  13. /body/div[7]/ol/li/a/@title:
  14. "Forensic File Search exclusions""File Metadata Collection exclusions"
  15. /body/div[8]/div/ul/li/a/@href:
  16. "/Administrator/Cloud/Configuring/Enable_endpoint_monitoring_and_file_metadata_collection#Step_2:_Enable_endpoint_monitoring_for_organizations""/Administrator/Cloud/Configuring/Enable_endpoint_monitoring_and_file_metadata_collection#Step_2:_Enable_endpoint_monitoring_and_file_metadata_collection"
  17. /body/div[8]/div/ul/li/a/@title:
  18. "Enable endpoint monitoring for file exfiltration detection""Enable endpoint monitoring and file metadata collection"
  • Was this article helpful?