Skip to main content

Who is this article for?

CrashPlan Cloud
CrashPlan for Small Business
CrashPlan On-Premises

Find your product plan in the Code42 console on the Account menu.
Not a CrashPlan On-Premises customer? Search or browse Incydr and Instructor, CrashPlan Cloud, or CrashPlan for Small Business.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, no.

Incydr Basic, Advanced, and Gov F1, no.

CrashPlan Cloud, no.

Retired product plans, yes.

CrashPlan for Small Business, no.

Code42 Support

Best practices for using Code42 to address insider risk


Insider risk is a potential for harm coming from people within an organization, such as employees, former employees, contractors, or business associates. An insider threat can compromise an organization's data, computer systems, or security, and the threat itself might be theft of information, fraud, or sabotage. This article provides best practices for security teams to follow in order to to most effectively detect insider threat file activities and respond to incidents.

This article applies only to Code42 environments with an on-premises authority server. For Code42 cloud environments, see Detect and respond to insider risks.

Upgrade to the Code42 cloud
Upgrade to the Code42 cloud to take advantage of Incydr, our most advanced insider risk detection, investigation, and response features. Incydr offers many insider risk capabilities not available in on-premises environments.


  • The procedures described here are suggestions, not requirements, for using Code42 to handle insider threats at your organization. Be sure to adjust the tasks described in this article as needed to work in accordance with your company's own processes for addressing insider threat.
  • You must have the SYSADMIN role or the Security Center User role to perform the tasks in this article.
  • Many of these tasks can be performed using the Code42 API. If you have a standard insider threat scripting procedure, you can add the Code42 API tasks to the script. For help with using Code42 APIs, contact your Customer Success Manager to engage the Professional Services team.

Step 1: Capture file activity

Before you can use Code42 to address insider threat, you must do the following to capture file activity:

Enable endpoint monitoring

Enable endpoint monitoring to capture file activity on each device in real time, helping you identify potential insider threat actions. Enable the following endpoint monitoring options:

  • Removable media
  • Cloud service
  • Application activity (file upload and download)
  • File restore
  • Pattern matching

Endpoint monitoring identifies most file activity anywhere on a user's device, not just within the user's backup file selection. Pattern matching, however, only applies to files included in the user's backup file selection.

See Enable endpoint monitoring for file exfiltration detection for more information.

Enable monitoring for removable media and cloud services
Select Removable media and Cloud service when enabling endpoint monitoring. These represent two common methods that departing employees use to take company data. 

Collect files

Set up Code42 to collect files on endpoints and place them into archives. In the event of insider threat file activity, you can download these files and examine their contents. You can also collect files from the archives for use in a legal hold action if needed. 

To optimize file collection:

  • Select all the users' files
    By default, the Code42 app collects all files in a user's home directory. Use inclusion and exclusion settings to include any additional files from users' devices, and exclude any that you do not want to collect. Remember that any files that you do not collect cannot be downloaded for examination or used in a legal hold.
  • Set file collection frequency and retention
    To get the best coverage for file investigation, use the default frequency and versions settings to collect new file versions every 15 minutes and to never remove deleted files from archives. 
  • Extend cold storage duration
    Cold storage is a temporary storage state for file archives after a user or device is deactivated in your Code42 environment. You can specify how long the archives are retained in cold storage before they are permanently deleted. Extending the cold storage duration preserves file archives for a longer period to ensure they are available for threat investigation. Keep in mind that users whose files are in archives in cold storage still consume subscriptions.

See Device Backup - Backup settings reference.

Step 2: Investigate suspicious file activity

Investigate suspicious file activity using the following Investigation options in the Code42 console

You can also use third-party tools in conjunction with Code42 to investigate suspicious file activity.

User activity

User activity searches for users' security events detected by endpoint monitoring. Use this option when you want to view activity rather than receive notifications. You can see a trend of the user's activity over the last 60 days, providing a baseline of typical activity that helps you identify spikes in file movement that signal unusual activity. 

See User Activity and Activity Notifications reference for more information.

Export user activity to a spreadsheet
Use the Export CSV feature to download data about users' file activity for analysis or archiving.

Activity Notifications

Set up activity notifications for high-risk employees to monitor file activity detected by endpoint monitoring and receive an email notification when suspicious activity occurs. 

See Configure activity profiles for more information.

Step 3: Respond to insider threat incidents

When an insider threat incident occurs, you need to move quickly to identify the actors involved and the files compromised. While your company has its own response protocol, the following Code42 features can help you respond to insider threat incidents:

Integrations with third-party security tools

Use the following third-party Code42 integrations to respond to suspicious file activity.

Splunk Phantom

Splunk Phantom is a security orchestration, automation, and response (SOAR) solution. Use the the Code42 app for Splunk Phantom to add Code42-specific actions to your Splunk Phantom environment.

See Code42 app for Splunk Phantom for more information.


Splunk is a solution for data analytics monitoring and visualization. Use the Code42 for Splunk (Legacy) app to monitor file activity using security dashboards

See Install and manage the Code42 for Splunk (Legacy) app for more information.

Legal Hold

If file activity is identified as coming from an insider threat, files involved in that activity, and their history, can be gathered and held for legal action using Code42's Legal Hold. To obtain files for use in Legal Hold, you must first collect files into archives.

Gathering files for a legal hold may be part of eDiscovery, the process of discovery in legal cases when the information is in electronic format. As part of the eDiscovery process, you may need to perform tasks such as the following in response to an insider threat incident:

  • Identify when the incident occurred. 
  • Determine who has files involved in the incident.
  • Search the logs stored on endpoint devices running the Code42 app.

See eDiscovery integration guide and Configure a legal hold for additional information.

Add high-risk employees to a legal hold
Add employees who have the highest risk of taking sensitive data to a legal hold. Adding them to a legal hold keeps the employees' files in archives for a longer period, in case they are needed for additional investigation or future legal action. Deactivated users cannot be added to legal holds. If you need to add a deactivated user to a legal hold, first reactivate that user.

Additional help

If you are new to Code42 for Enterprise, contact our sales team to get started.

If you already use Code42 for Enterprise, contact your Customer Success Manager (CSM) for assistance with:

  • Licensing for specific features
  • Configuring your Code42 environment to best handle insider threat

If you do not know your CSM, please contact our Customer Champions.

  • Was this article helpful?