Skip to main content

Who is this article for?

Incydr Professional, Enterprise, Gov F2, and Horizon
Incydr Basic, Advanced, and Gov F1

Find your product plan in the Code42 console on the Account menu.
Not an Incydr customer? For CrashPlan articles, search or browse.

Instructor, no.

Incydr Professional, Enterprise, Gov F2, and Horizon, yes.

Incydr Basic, Advanced, and Gov F1, yes.

CrashPlan Cloud, yes.

Retired product plans, yes.

CrashPlan for Small Business, no.

Code42 Support

Audit Log


The Code42 Audit Log provides a record of who did what and when in the Code42 environment. This article provides detailed descriptions of each item in the Audit Log in the Code42 console. Some uses of the Audit Log include: 

  • Determine how the Code42 environment ended up in its current state.
  • Spot check the work of security analysts to prevent abuse of privileged access.
  • Identify areas of training for users that caused inadvertent changes.
Use the Audit Log APIs to export results
The Audit Log in the Code42 console allows you to quickly search events and export the results to a comma-separated-values (CSV) file. While this is helpful to quickly perform spot checks, instead use the Code42 API if you need to export events to your internal security team tools. See Audit Log in the Code42 Developer Portal.


Audit Log in the Code42 console

To view the Audit Log:

  1. Sign in to the Code42 console.
  2. Select Administration > Status > Audit Log

Audit Log

Item Description
a Export Export icon Export the filtered events to a comma-separated values (CSV) file.
b Filter Filter icon Filter the events by the criteria you select. 
c Filtered by The filters that are currently applied to the Audit Log events. Click the X to remove that filter. Remove all filters to view all events.
d Username The Code42 username associated with the event.
e Event type

The event type logged.

f Date observed Date and time the event occurred. The time is reported in Coordinated Universal Time (UTC).
g IP address Public IP address involved in the event. 
h View detail Details icon Click to view event details. Includes event type, date observed, and device details.


To filter the events listed in the Audit Log, click Filter Filter icon and select the criteria to use. When you click Apply, events that match all filters appear in the list.

Audit Log filter

Item Description
a Username Returns events triggered by a specific Code42 user. Use commas to separate multiple usernames.
b User type

The type of user to search for:

  • User
    Select to search for events triggered by a Code42 user.
  • Code42 support user
    Select to search for events triggered by a Code42 support user. Code42 support users are Customer Champions given support access to your Code42 environment to perform investigation and adjust settings as needed. By default, the Code42 support user's name is The Code42 support user can create additional users that appear in the Audit Log. To find those users, you can filter on the user type Code42 support user and then filter on the Add user event type.
  • API client
    Select to search for events triggered by an API client.
c Date range

Filters the list by the selected date range. Select Custom to enter start and end dates to use to filter events. You can also select All dates to view all events that have been logged.

d Event type

Filters results by event types. All events filters by all available event types. 


Event types are organized into categories. Select All events in a category to filter by all available event types in that category. 


See the Event types section below for a description of each event type. 

  • Administration
    • All events
    • Code42 support user access disabled
    • Code42 support user access enabled
    • Risk setting changed
    • Risk setting created
  • Alerts
    • Alert note edited
    • Alert rule created
    • Alert rule deleted
    • Alert rule disabled
    • Alert rule edited
    • Alert rule enabled
    • Alert state changed
    • All users removed from alert rule
    • Users added to alert rule
    • Users removed from alert rule
    • Watchlist removed from alert rule
  • API Clients
    • All events
    • API client created
    • API client deleted
    • API client description changed
    • API client name changed
    • API client permissions assigned
    • API client permissions revoked
    • API client secret reset
  • Authorization
    • All events
    • Console login
  • Cases
    • All events
    • Case assignee changed
    • Case closed
    • Case created
    • Case deleted
    • Case exported
    • Case file event added
    • Case file event removed
    • Case subject changed
  • Data Preferences
    • Account name added
    • Account name changed
    • Account name deleted
    • Domain added
    • Domain changed
    • Domain deleted
    • IP address added
    • IP address changed
    • IP address deleted
    • Slack Workspace added
    • Slack Workspace changed
    • Slack Workspace deleted
    • URL added
    • URL changed
    • URL deleted
  • File access
    • All events
    • File download
    • File download: IO error
    • Path purged
    • Restore ended
    • Restore started
    • ZIP file downloaded
  • Forensic Searches
    • All events
    • Forensic Search query
  • Identity and access management 
    • Federation created
    • Federation deleted
    • Federation metadata updated
    • Federation updated
    • Identity provider assigned to org
    • Identity provider created
    • Identity provider deleted
    • Identity provider metadata updated
    • Identity provider removed from org
    • Identity provider updated
    • SCIM provisioner configuration updated
    • SCIM provisioner created
    • SCIM provisioner credentials changed
    • SCIM provisioner deleted
  • User updates
    • All events
    • Activate user
    • Add user
    • Deactivate user
    • Email change
    • External attributes change
    • External reference change
    • Local auth only change
    • Name change
    • User roles assigned
    • User roles revoked
    • Username change
  • Watchlists  * Deprecated event type. Replaced by watchlist event types.
    • Cloud alias added
    • Cloud alias removed
    • Departing employee added*
    • Departing employee alert settings changed*
    • Departing employee departure date changed*
    • Departing employee removed*
    • Department added to watchlist definition
    • Department removed from watchlist definition
    • Excluded users added to watchlist definition
    • Excluded users removed from watchlist definition
    • Groups added to watchlist definition
    • Groups removed from watchlist definition
    • High risk employee added*
    • High risk employee alert settings changed*
    • High risk employee removed*
    • Included users added to watchlist definition
    • Included users removed from watchlist definition
    • Risk factor added*
    • Risk factor removed*
    • Risk profile end date changed
    • Risk profile notes changed
    • Risk profile start date changed
    • User added to watchlist membership
    • User removed from watchlist membership
    • Watchlist created
    • Watchlist definition changed
    • Watchlist deleted
e IP address Filters the events by a specific public IP address involved in the event. Use commas to separate multiple IP addresses.
f Cancel / Apply Click Apply to apply the selected filter criteria to the list and display only the events that match that criteria. To return to the list without applying any filters, click Cancel.


Click Export icon Export to export the filtered events in the Audit Log to a comma-separated values (CSV) file. Any filters that are applied are shown above the Audit Log list. Click the X on a filter to remove that filter from the exported results.

In addition to exporting events to CSV in the Code42 console, you can also export events with the Code42 API. See Audit Log in the Code42 Developer Portal.

Event details

For any event listed in the Audit Log, click View details Details icon to see more information about the event.

Event details

Following are the fields that can appear in event details.



Additional event details

Event types


  • Was this article helpful?