Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Horizon, and Gov F2
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Audit Log

Overview

The Code42 Audit Log provides a record of who did what and when in the Code42 environment. Some uses of the Audit Log include: 

  • Determine how the Code42 environment ended up in its current state.
  • Spot check the work of security analysts to prevent abuse of privileged access.
  • Identify areas of training for users that caused inadvertent changes.

This article provides descriptions of each item in the Audit Log in the Code42 console.

For information about the details that appear for events, see Audit Log event details.

Use the Audit Log APIs to export results
The Audit Log in the Code42 console allows you to quickly search events and export the results to a comma-separated-values (CSV) file. While this is helpful to quickly perform spot checks, instead use the Code42 API if you need to export events to your internal security team tools. See Audit Log in the Code42 Developer Portal.

Considerations

Audit Log in the Code42 console

To view the Audit Log:

  1. Sign in to the Code42 console.
  2. Select Administration > Status > Audit Log
  3. To view details of an event, click View details Details icon.
    For information about event details, see Audit Log event details

    Audit Log

    Item Description
    a Export Export icon Export the filtered events to a comma-separated values (CSV) file.
    b Filter Filter icon Filter the events by the criteria you select. 
    c Filtered by The filters that are currently applied to the Audit Log events. Click the X to remove that filter. Remove all filters to view all events. 
    d Username The Code42 username associated with the event.
    e Event type

    The event type logged.

    f Date observed Date and time the event occurred. The time is reported in Coordinated Universal Time (UTC).
    g IP address Public IP address involved in the event. 
    h View detail Details icon

    Click to view event details. Includes event type, date observed, and device details.

     

    For details, see Audit Log event details.

     

Filter

To filter the events listed in the Audit Log, click Filter Filter icon and select the criteria to use. When you click Apply, events that match all filters appear in the list.

Audit Log filter

Item Description
a Username Returns events triggered by a specific Code42 user. Use commas to separate multiple usernames.
b Resource ID

Search for events related to a specific resource's ID.

 

Resources whose IDs you can search for include:

  • Affected user
  • Alert
  • Alert rule
  • Archive source computer GUID
  • Case
  • Client
  • Federation
  • Identity provider
  • Provisioner
  • User
  • Watchlist
c User type

The type of user to search for:

  • User
    Select to search for events triggered by a Code42 user.
  • Code42 support user
    Select to search for events triggered by a Code42 support user. Code42 support users are Technical Support Engineers given support access to your Code42 environment to perform investigation and adjust settings as needed. By default, the Code42 support user's name is marvin@code42.com. The Code42 support user can create additional users that appear in the Audit Log. To find those users, you can filter on the user type Code42 support user and then filter on the Add user event type.
  • API client
    Select to search for events triggered by an API client.
  • System
    Select to search for events triggered by the Code42 system. 
d Date range

Filters the list by the selected date range. Select Custom to enter start and end dates to use to filter events. You can also select All dates to view all events that have been logged.

e Event type

Filters results by event types. All events filters by all available event types. 

 

Event types are organized into categories. Select All events in a category to filter by all available event types in that category. 

 

See the Event types section below for a description of each event type. 

  • Administration
    • All events
    • Code42 support user access disabled
    • Code42 support user access enabled
    • Risk setting changed
    • Risk setting created
  • Alerts
    • Alert note edited
    • Alert rule created
    • Alert rule deleted
    • Alert rule disabled
    • Alert rule edited
    • Alert rule enabled
    • Alert state changed
    • All users removed from alert rule
    • Users added to alert rule
    • Users removed from alert rule
    • Watchlist removed from alert rule
  • API Clients
    • All events
    • API client created
    • API client deleted
    • API client description changed
    • API client name changed
    • API client permissions assigned
    • API client permissions revoked
    • API client secret reset
  • Authorization
    • All events
    • Console login
  • Cases
    • All events
    • Case archived
    • Case assignee changed
    • Case closed
    • Case created
    • Case deleted
    • Case exported
    • Case file event added
    • Case file event removed
    • Case subject changed
  • Data Preferences
    • Account name added
    • Account name changed
    • Account name deleted
    • Domain added
    • Domain changed
    • Domain deleted
    • Git repository added
    • Git repository changed
    • Git repository deleted
    • IP address added
    • IP address changed
    • IP address deleted
    • Slack Workspace added
    • Slack Workspace changed
    • Slack Workspace deleted
    • URL added
    • URL changed
    • URL deleted
  • File access
    • All events
    • File download
    • File download: IO error
    • Path purged
    • Restore ended
    • Restore started
    • Sharing permission removed
    • Temporary file access granted
    • Temporary file access revoked
    • ZIP file downloaded
  • Forensic Searches
    • All events
    • Forensic Search query
  • Identity and access management 
    • Federation created
    • Federation deleted
    • Federation metadata updated
    • Federation updated
    • Identity provider assigned to org
    • Identity provider created
    • Identity provider deleted
    • Identity provider metadata updated
    • Identity provider removed from org
    • Identity provider updated
    • SCIM provisioner configuration updated
    • SCIM provisioner created
    • SCIM provisioner credentials changed
    • SCIM provisioner deleted
  • User updates
    • All events
    • Activate user
    • Add user
    • Deactivate user
    • Email change
    • External attributes change
    • External reference change
    • Local auth only change
    • Name change
    • User roles assigned
    • User roles revoked
    • Username change
  • Watchlists  
    • Cloud alias added
    • Cloud alias removed
    • Department added to watchlist definition
    • Department removed from watchlist definition
    • Excluded users added to watchlist definition
    • Excluded users removed from watchlist definition
    • Groups added to watchlist definition
    • Groups removed from watchlist definition
    • Included users added to watchlist definition
    • Included users removed from watchlist definition
    • Risk factor added
    • Risk factor removed
    • Risk profile end date changed
    • Risk profile notes changed
    • Risk profile start date changed
    • User added to watchlist membership
    • User removed from watchlist membership
    • Watchlist created
    • Watchlist definition changed
    • Watchlist deleted
    • Watchlist description changed
    • Watchlist name changed
f IP address Filters the events by a specific public IP address involved in the event. Use commas to separate multiple IP addresses.
g Cancel / Apply Click Apply to apply the selected filter criteria to the list and display only the events that match that criteria. To return to the list without applying any filters, click Cancel.

Export

Click Export icon Export to export the filtered events in the Audit Log to a comma-separated values (CSV) file. Any filters that are applied are shown above the Audit Log list. Click the X on a filter to remove that filter from the exported results.

In addition to exporting events to CSV in the Code42 console, you can also export events with the Code42 API. See Audit Log in the Code42 Developer Portal.

Event types

Following are the kinds of events that appear in the Audit Log.

Account name added

This event means that a corporate cloud account name has been added to trusted activity

Account name changed

This event means that a change has been made to a corporate cloud account name or description in trusted activity

Account name deleted

This event means that a corporate cloud account name has been removed from trusted activity

Activate user

This event means that a user was reactivated in Code42. Reactivation occurs after a user had been previously deactivated

Add user 

This event means that a new user was added in Code42. 

An empty value for fields in this event type may result from the initial intake of users from your Code42 environment into the Audit Log. See Troubleshooting.

Alert note edited

This event means that a note on an alert was changed.

Alert rule created

This event means that an alert rule was created.

Alert rule deleted

This event means that an alert rule was deleted.

Alert rule disabled

This event means that an alert rule was disabled.

Alert rule edited

This event means that an alert rule was edited

Alert rule enabled

This event means that an alert rule was enabled.

Alert state changed

This event means that an alert's state changed. Following are the possible states:

  • Open: The alert has not been reviewed.
  • In progress: The alert is under review.
  • Pending response: Response to the alert is pending.
  • Dismissed: The alert is resolved.

All users removed from alert rule

This events means that all users were removed from an alert rule by the Code42 API, py42, or CLI, but not the Code42 console. If all users are removed from an alert rule in the Code42 console, it triggers an Alert rule edited event. 

API client created

This event means that an an API client was created

API client deleted

This event means that an an API client was deleted

API client description changed

This event means that an API client's description was changed.

API client name changed

This event means that an API client's name was changed.

API client permissions assigned

This event means that read or write API permissions were given to an API client.

API client permissions revoked

This event means that read or write API permissions were removed from an API client.

API client secret reset

This event means that an API client's secret was reset.

Case archived

This event means that a case was archived

Case assignee changed

This event means that the person who is assigned to take a case has been changed

Case closed

This event means that a case was closed.

Case created

This event means that a case was created

Case deleted

This event means that a case was permanently deleted.  

Case exported

This event means that a case was exported

Case file event added

This event means that a file event was added to a case

Case file event removed

This event means that a file event was removed from a case

Case subject changed

This event means that the person who the case is about was changed

Cloud alias added

This event means that a cloud alias was added to a user profile.

A cloud alias is an email alias other than the Code42 username that the user utilizes for cloud services such as Google Drive, OneDrive, or Box. Only one alias can be added for each user.

Cloud alias removed

This event means that a cloud alias was removed from a user profile.

Code42 support user access disabled

This event means that support access to your Code42 environment was turned off, so Code42 support users (also known as Technical Support Engineers) no longer have permission to access your Code42 environment to troubleshoot or adjust settings.

Code42 support user access enabled

This event means that Code42 support users (also known as Technical Support Engineers) were granted support access to your Code42 environment to troubleshoot and adjust settings as needed.

Code42 support users can log in after they are given support access. By default, the Code42 support user's name is marvin@code42.com

To find events performed by a Code42 support user, filter on the user type Code42 support user. The user information appears in the User type section of the event details. If the Code42 support user creates additional users, you can find them in the Audit Log by filtering on the user type Code42 support user and event type Add user.

Console login

This event means that a login to the Code42 console was recorded. The login could be from a direct user sign-in, a user signing in with single sign-on (SSO), or a sign-in initiated with an API call from the Code42 API or an integration. If the sign-in is initiated with an API call, the User agent field displays details of the API.

Deactivate user

This event means that a user was deactivated in Code42. A user can be deactivated for many reasons, from leaving the company to being removed from a provisioning system. For more information about user deactivation performed by provisioning systems, see our articles on SCIM provisioning and Code42 User Directory Sync.

Department added to watchlist definition 

This event means that a department was added to a watchlist

Department removed from watchlist definition 

This event means that a department was removed from a watchlist

Domain added

This event means that a domain has been added to the list of trusted activity in data preferences.

Domain changed

This event means that a domain has been changed in the list of trusted activity in data preferences.

Domain deleted

This event means that a domain has been removed from the list of trusted activity in data preferences.

Email change

This event means that a user's email address was changed. In Code42, the user's email address is also their Code42 username. Therefore, a change to a user's email address also results in a Username change event. 

Excluded users added to watchlist definition

This event means that certain users in a department or directory group were excluded from a watchlist

Excluded users removed from watchlist definition

This event means that certain users in a department or directory group were who were previously excluded from a watchlist are now added to a watchlist

External attributes change

This event means that an external user provisioning system updated a user's attributes, such as Code42 User Directory Sync or a SCIM provisioning system like Azure AD provisioningOkta provisioning, or PingOne provisioning.

When a provisioning system triggers an event, the Username Code42 entry appears as the provisioning provider username credentials from Code42 (for example, "azure_1234@cloud.code42.com").

If multiple attributes for a user are changed as a result of a single provisioning action, then all the attribute changes appear in the same event. User attributes obtained from a provisioning system display in Code42 in the User Profile. The changed attributes that can appear in this event type are:

  • country
  • division
  • department
  • employee_type
  • locality
  • manager_user_id
  • region
  • title

If user attributes are not populated correctly, see Provision user attributes to Code42.

External reference change

This event means that a user's external reference information was changed. The External Reference field in Code42 is used by administrators to add descriptive information to users, devices, or organizations in the Code42 environment, such as serial numbers, asset tags, employee IDs, help desk issue IDs, and the like. This information provides additional context for administrators and helps to integrate with external systems.

Federation created

This event means that a federation was created in Identity Management. 

Federation deleted

This event means that a federation was deleted in Identity Management. 

Federation metadata updated

This event means that the metadata for a federation was edited. 

Federation updated

This event means that details of a federation were edited.  

File download

This event means that a file was downloaded from Forensic Search or a case. The downloaded file's name, size, MD5 hash, and other information appears in the additional event details.

File download: IO error

When a file download from Forensic Search or a case was attempted, the file failed to download due to an I/O device error. 

Forensic Search query

This event means that a Forensic Search query was performed in the Code42 console or a Forensic Search was run with the Code42 API. The details of the Forensic Search query are recorded in the Query Parameters

Git repository added

This event means that a Git repository has been added to the list of trusted activity in data preferences.

Git repository changed

This event means that a Git repository has been changed in the list of trusted activity in data preferences.

Git repository deleted

This event means that a Git repository has been removed from the list of trusted activity in data preferences.

Groups added to watchlist definition

This event means that a directory group was added to a watchlist

Groups removed from watchlist definition

This event means that a directory group was removed from a watchlist

Identity provider assigned to org

This event means that an authentication provider was assigned to an organization.

Identity provider created

This event means that an authentication provider was created

Identity provider deleted

This event means that an authentication provider was deleted. 

Identity provider metadata updated

This event means that the metadata for an authentication provider was edited. 

Identity provider removed from org

This event means that an authentication provider was removed from an organization

Identity provider updated

This event means that details of an authentication provider were edited.

Included users added to watchlist definition

This event means that users were added to a watchlist individually.

Note that if a user is added because they are a member of a directory group or department, the User added to watchlist membership event occurs.

Included users removed from watchlist definition

This event means that users were removed from a watchlist individually. 

Note that if a user is removed because they are a member of a directory group or department, the User removed from watchlist membership event occurs.

IP address added

This event means that an IP address has been added to the list of trusted IP addresses in data preferences.

IP address changed

This event means that an IP address has been changed in the list of trusted IP addresses in data preferences.

IP address deleted

This event means that an IP address has been removed from the list of trusted IP addresses in data preferences.

Local auth only change

This event means that the local authentication method was changed for the user. Users with local authentication appear in the Local Users pane of the Authentication tab in Identity Management.

In the Updated local auth status field of the event details, a value of "true" indicates that the user is restricted to local (Code42-based) authentication only, while a value of "false" indicates that the user is authenticated by SSO. 

An empty value for fields in this event type may result from the initial intake of users from your Code42 environment into the Audit Log. See Troubleshooting.

Name change

This event means that a user's first name or last name was changed. 

Path purged

This event means that the purge.path command was used to remove files or directories from backup archives. 

Restore ended

This event means that restoration (download) of files to a device has completed.

The additional event details show the type of restore and other information about the restore, such as the owner of the device that received the restored files.

Restore started

This event means that restoration (download) of files to a device has started.

Compare the restore start and end times for the same restore ID to find how long a restore took. Depending on the kind of restore and the amount of file content restored, the length of time for a restore can vary widely.

Risk factor added

This event means that risk factors were added to a user in a watchlist.

Risk factor removed

This event means that risk factors were removed from a user in a watchlist.

Risk profile end date changed

This event means that the departure date of a user was changed in a user profile.

Risk profile notes changed

This event means that notes were changed in a user profile.

Risk profile start date changed

This event means that the start date was changed in a user profile.

Risk setting changed

This event means that the severity value of a risk indicator was changed. 

Risk setting created

This event means that a risk indicator was added. This is a system action that occurs: 1) when Code42 creates a new risk indicator, or 2) the first time Code42 receives a file event after your initial deployment. You cannot create new risk settings on your own.

SCIM provisioner configuration updated

This event means that details of a SCIM provisioning provider were edited. 

SCIM provisioner created

This event means that a SCIM provisioning provider was created

SCIM provisioner credentials changed

This event means that the Provider Credentials were changed for the SCIM provisioning provider.

SCIM provisioner deleted

This event means that the SCIM provisioning provider was deleted. 

Sharing permission removed

This event means that a cloud storage file's sharing permissions have been removed for a user. 

Slack Workspace added

This event means that a Slack Workspace has been added to the list of trusted activity in data preferences.

Slack Workspace changed

This event means that a Slack Workspace has been changed in the list of trusted activity in data preferences.

Slack Workspace deleted

This event means that a Slack Workspace has been removed from the list of trusted activity in data preferences.

Temporary file access granted

This event means an analyst has requested temporary view access to a file in a cloud storage service monitored by one of our data connectors. File access is granted for 15 minutes. 

Temporary file access revoked

This event means an analyst's temporary 15-minute view access period has expired for access to a file in a cloud storage service monitored by one of our data connectors. 

URL added

This event means that a specific URL path has been added to the list of trusted activity in data preferences.

URL changed

This event means that a specific URL path has been changed in the list of trusted activity in data preferences.

URL deleted

This event means that a specific URL path has been removed from the list of trusted activity in data preferences.

User added to watchlist membership

This event means that a user was added to a watchlist when a directory group or department was used to populate the watchlist. Note that if a user is added to a watchlist individually, the Included users added to watchlist definition event occurs. 

User removed from watchlist membership

This event means that a user was removed from a watchlist when a directory group or department was removed from a watchlist. Note that if a user is removed from a watchlist individually, the Included users removed from watchlist definition event occurs. 

User roles assigned

This event means that roles were assigned to a user. For a list of all available roles, see the Roles reference.

User roles revoked

This event means that roles were removed from a user

Username change

This event means that a user's Code42 username was changed. In Code42, the user's email address is also their Code42 username. Therefore, a change to a Code42 username also results in an Email change event for the user. 

The Affected user field in the event details is empty in this type of event because the username value is shown in the Old value and New value fields. See Troubleshooting.

Users added to alert rule

This event means that users are added to an alert rule by the Code42 API, py42, or CLI. If users are added to an alert rule in the Code42 console, it triggers an Alert rule edited event.

Users removed from alert rule

This event means that users are removed from an alert rule by the Code42 API, py42, or CLI. If users are removed from an alert rule in the Code42 console, it triggers an Alert rule edited event. 

Watchlist created

This event means that a watchlist was created.

Watchlist definition changed

This event means that some aspect of a watchlist changed. 

Watchlist deleted

This event means that a watchlist was deleted

Watchlist description changed

This event means that the description of a custom watchlist changed. 

Watchlist name changed

This event means that the name of a custom watchlist changed. 

Watchlist removed from alert rule

This event means a watchlist is no longer in an alert rule because it was deleted from the list of watchlists. If a watchlist is removed from an alert rule, it triggers an Alert rule edited event.

ZIP file downloaded

This event means that a ZIP file was downloaded to a device while restoring files to a ZIP file.

Troubleshooting

Empty values in fields

Empty values in Audit Log fields (shown as or "unknown") may occur for a number of reasons:

Export limit

The maximum number of events that can be exported from the Audit Log at once is 100,000. To work around this limitation, adjust your filters to reduce the number of events in any given export to be less than 100,000, then complete multiple exports to obtain the entire set of events. 

Related topics

  • Was this article helpful?