Audit Log event details

Last updated
Save as PDF

Overview

The Code42 Audit Log provides a record of who did what and when in the Code42 environment. This article provides descriptions of the event details that appear in the Audit Log.

For general information about the Audit Log, see Audit Log.

Considerations

You must have the Audit Log Viewer role to view events in the Audit Log.
You can use APIs and py42 to query the Audit Log.

Event details

To view event details in the Audit Log:

Sign in to the Code42 console.
Select Administration > Status > Audit Log.
For any event listed in the Audit Log, click View details .
Event details display.

Event details

Event

Following are the fields that can appear in the Event section of the Event details panel. The fields that display vary depending on the type of activity that triggered the event.

Item	Description
Event type	The event type logged.
Date observed	Date and time the event occurred. The time is reported in Coordinated Universal Time (UTC).

User

Following are the fields that appear in the User section of the Event details panel.

Item	Description
Acting user (Code42)	The Code42 username of the acting user who triggered the event. The acting user can be a Code42 user, Code42 API (via an API client), or SCIM provisioning system. If the acting user was a SCIM provisioning system (for example, for an External attributes change event), the entry appears as the provisioning provider Username credentials from Code42 (for example, "azure_1234@cloud.code42.com"). If the acting user was a Code42 user, clicking View profile opens the user's profile. If the acting user was an API client, clicking View profile opens the API client in the Code42 console.
User type	The type of user who triggered the event: a Code42 user, a Code42 support user, an API client, or the Code42 system. To search for events triggered by specific user types, use the search filter. Code42 support users are users given support access to your Code42 environment to perform investigation and adjust settings as needed. By default, the username of support users is marvin@code42.com.
IP address (public)	The public IP address of the device used to trigger the event.
User agent	Details of the browser and device used to trigger the event. If the acting user was an API call (for example, for a Console login event), this field displays details of the API.

Additional event details

Following are the fields that appear in the Additional event details section of the Event details panel.

Item	Description	Applies to events
Access duration	The duration of temporary file access (the default is 15 minutes).	Temporary file access granted Temporary file access revoked
Account name description	The description of the affected account name.	Account name added Account name changed Account name deleted
Account name value	The value of the affected account name.	Account name added Account name changed Account name deleted
Affected user	The Code42 username of the person who was acted upon in the event.	Activate user Add user Cloud alias added Cloud alias removed Deactivate user External attributes change External reference change Local auth only change Name change Risk factor added Risk factor removed Risk profile notes changed Sharing permission removed User added to watchlist membership Username change User removed from watchlist membership User roles assigned User roles revoked
Affected user type	The type of user who triggered the event, either a Code42 user or a Code42 support user.	Activate user Add user Deactivate user External attributes change External reference change Local auth only change Name change Username change User roles assigned User roles revoked
Affected user UID	The Code42 unique UID (userUid) of the person who was acted upon in the event.	Activate user Add user Cloud alias added Cloud alias removed Deactivate user External attributes change External reference change Local auth only change Name change Risk factor added Risk factor removed Risk profile notes changed User added to watchlist membership Username change User removed from watchlist membership User roles assigned User roles revoked
Alert ID	The unique ID of the alert. The ID is automatically generated when the alert is created and cannot be changed.	Alert note edited Alert state changed
Alert rule ID	The unique ID of the alert rule. The ID is automatically generated when the rule is created and cannot be changed.	Alert rule created Alert rule deleted Alert rule disabled Alert rule edited Alert rule enabled All users removed from alert rule Users added to alert rule Users removed from alert rule Watchlist removed from alert rule
Alert rule name	The name of the alert rule.	Alert rule created Alert rule deleted Alert rule disabled Alert rule edited Alert rule enabled All users removed from alert rule Users added to alert rule Users removed from alert rule Watchlist removed from alert rule
Amount of data deleted	The total amount of data that was deleted (in bytes).	Path purged
Amount of data downloaded	The total amount of data contained in the downloaded ZIP file.	ZIP file downloaded
Amount of data restored	The total amount of file data restored in the event.	Restore ended
API permissions	The read and write permissions given to or removed from API clients.	API client permissions assigned API client permissions revoked
Archive owner	The Code42 username of the person who owned the device from which the data was archived.	Path purged
Assignable roles	The roles available for role mapping in the SCIM provisioning provider.	SCIM provisioner configuration updated
Assignee	The Code42 username of the case assignee.	Case assignee changed
Assignee user UID	The Code42 unique UID (userUid) of the case assignee.	Case assignee changed
Attribute mapping inherited	Whether the attribute mapping for the authentication provider was changed as part of the event (true or false).	Identity provider created Identity provider updated
Authentication contexts	The context class reference to authenticate users. For more information about context classes, see the SAML 2.0 specification.	Identity provider created Identity provider updated
Authentication enabled	Whether the authentication provider is assigned to an organization and therefore enabled for use (true or false).	Identity provider created Identity provider updated
Case ID	The number of the case. The case number is automatically generated when the case is created and cannot be changed.	Case archived Case assignee changed Case closed Case created Case deleted Case exported Case file event added Case file event removed Case subject changed
Changed at	The date and time when the SCIM provisioning provider's credentials were changed.	SCIM provisioner credentials changed
Client ID	The ID of an API client.	API client created API client deleted API client description changed API client name changed API client permissions assigned API client permissions revoked API client secret reset
Cloud alias	The cloud alias name added to or removed from the user.	Cloud alias added Cloud alias removed
Context comparison	The comparison method used to evaluate the requested context class. Valid values are: EXACT MINIMUM MAXIMUM BETTER For more information about context comparison, see the SAML 2.0 specification.	Identity provider created Identity provider updated
Created at	When the authentication provider, identity provider provider, or SCIM provisioning provider was created.	Federation created Identity provider created SCIM provisioner created
Deactivation delay	The length of time that user deactivation is delayed after provisioning.	SCIM provisioner configuration updated SCIM provisioner created
Default organization ID	The organization ID of the default organization that users are provisioned to.	SCIM provisioner configuration updated SCIM provisioner created
Deleted at	The date and time when the SCIM provisioning provider was deleted.	SCIM provisioner deleted
Deleted directory count	The number of directories that were removed from the archive.	Path purged
Deleted file count	The number of files that were removed from the archive.	Path purged
Departments	Departments in a watchlist.	Department added to watchlist definition Department removed from watchlist definition
Description	The description text from the object acted upon.	API client created Alert rule edited Watchlist created Watchlist description changed
Destination holding the archive	The backup destination containing the files.	Path purged Restore ended Restore started
Detector name	The display name of the data connector in Code42.	Sharing permission removed Temporary file access granted Temporary file access revoked
Detector type	The cloud storage provider where the file is stored.	Sharing permission removed Temporary file access granted Temporary file access revoked
Device guid data is pushed to	The globally unique ID (GUID) of the device that received restored files.	Restore ended Restore started
Device guid that owned the data	The globally unique ID (GUID) of the device where the files originated.	Path purged Restore ended Restore started
Device hostname data is pushed to	The hostname of the device that received restored files.	Restore ended Restore started
Device hostname that owned the data	The hostname of the device where the files originated.	Path purged Restore ended Restore started
Directory ID	The directory of the file in cloud storage.	Sharing permission removed Temporary file access granted Temporary file access revoked
Display name attribute	The display name of the federation.	Federation created Federation updated
Domain description	The description of the affected trusted domain.	Domain added Domain deleted
Domain value	The value of the affected trusted domain.	Domain added Domain deleted
Downloading user account (uid)	The Code42 unique UID (userUid) of the person who initiated the file restore.	ZIP file downloaded
Duration	The length of time it took for the file restoration process from start to finish.	Restore ended
Email attribute	The email attribute in the authentication provider's attribute mapping.	Federation created Federation updated Identity provider created Identity provider updated
Employee username	The Code42 username of the person in the watchlist.	Risk profile end date changed Risk profile start date changed
Employee user UID	The Code42 unique ID (userUid) of the person in the watchlist.	Risk profile end date changed Risk profile start date changed
Enabled	Whether the alert rule is enabled: true The alert rule is enabled. false The alert rule is disabled.	Alert rule created Alert rule edited
End date	The departure date of a user.	Risk profile end date changed
Event ID	The ID of a file event added or removed from a case.	Case file event added Case file event removed
Event reason	When the event succeeds ("Event success" is true), no event reason is given. If the event fails ("Event success" is false), the following event reasons can occur: APP_PERMISSION The cloud detector had insufficient permissions or was not actively monitoring. DRIVE NOT FOUND The cloud storage drive for this file was not found. FILES_NOT_FOUND The file was not found. GENERIC Unspecified error. THROTTLED The cloud storage vendor throttled the request. UNAUTHORIZED The requesting user wasn't authorized to request access. USER NOT FOUND The user's name was not found in the cloud storage.	Sharing permission removed Temporary file access granted Temporary file access revoked
Events returned	The number of results returned for this Forensic Search query.	Forensic Search query
Event success	Whether the event execution was successful: true The event completed successfully. false The event did not complete successfully. (For example, if data was being changed to a new value in the event, the string may have been malformed or contained illegal characters).	Deactivate user Sharing permission removed External attributes change External reference change Forensic Search query Name change Temporary file access granted Temporary file access revoked Username change
Export type	The type of case export: Case summary Exported a PDF with the case subject, details, and findings. Detailed file activity was not included. File activity Exported a CSV file with extensive file metadata details for all events in the case. For field definitions, see the Forensic Search event details.	Case exported
External IP address of device pushed to	The ISP-assigned IP address of the device that received restored files.	Restore ended
Family name attribute	The last name attribute in the authentication provider's attribute mapping.	Federation created Federation updated Identity provider created Identity provider updated
Federation ID	The unique identification number of the federation.	Federation created Federation deleted Federated metadata updated Federation updated Identity provider created
Federation metadata MD5 checksum	The checksum of the federation's metadata to ensure it was not edited in transit.	Federation created Federated metadata updated Federation updated
Federation metadata URL	The metadata URL for the federated authentication provider.	Federation created Federated metadata updated Federation updated
File event ID	The Code42 file event ID.	Sharing permission removed Temporary file access granted Temporary file access revoked
File name	The name of the downloaded or updated file.	File download Sharing permission removed Temporary file access granted Temporary file access revoked ZIP file downloaded
File name from the event	The name of the file at the time of download, including the file extension.	File download
File name in storage	The name of the file in storage when temporary access was granted or revoked.	Sharing permission removed Temporary file access granted Temporary file access revoked
File owner	The Code42 username of the file owner.	Sharing permission removed Temporary file access granted Temporary file access revoked
File path	The name of the file in storage before the download.	File download
File size	The size of the file in the archive (in bytes) before it was downloaded or updated.	File download Sharing permission removed Temporary file access granted Temporary file access revoked
Filters	The filters on the alert rule.	Alert rule created Alert rule edited
Git repository description	The description of the affected trusted Git repository.	Git repository added Git repository deleted
Git repository value	The value of the affected trusted Git repository.	Git repository added Git repository deleted
Given name attribute	The given name (first name) attribute in the authentication provider's attribute mapping.	Federation created Federation updated Identity provider created Identity provider updated
Group IDs	The identification numbers of directory groups on a watchlist.	Groups added to watchlist definition Groups removed from watchlist definition
Group to organization map	The organization mapping for the SCIM provisioning provider.	SCIM provisioner configuration updated
Hash algorithm	The digest algorithm that performs a checksum of the contents of the SAML request to ensure it was not edited in transit. For more information about digest algorithms, see the W3 XML Security Algorithm Cross-Reference.	Identity provider created Identity provider updated
Identity provider ID	The unique ID of the authentication provider.	Identity provider assigned to org Identity provider created Identity provider metadata updated Identity provider removed from org Identity provider updated
Identity provider metadata uploaded	Whether the metadata file was uploaded (true or false).	Identity provider created Identity provider updated
Identity provider metadata URL	The metadata URL for the authentication provider.	Identity provider created Identity provider metadata updated Identity provider updated
Included usernames added	The Code42 usernames of users added to a watchlist.	Watchlist definition changed
Included usernames removed	The Code42 usernames of users removed from a watchlist.	Watchlist definition changed
Included user UIDs added	The unique IDs of users added to a watchlist.	Watchlist definition changed
Included user UIDs removed	The unique IDs of users removed from a watchlist.	Watchlist definition changed
Integration name	The name of the authentication provider, federation, or SCIM provisioning provider.	Federation created Federated metadata updated Federation updated Identity provider created Identity provider metadata updated Identity provider updated SCIM provisioner configuration updated SCIM provisioner created
Integration name inherited	Whether the name of the authentication provider was changed as part of the event (true or false).	Identity provider updated
Internal IP address of device pushed to	The local IP address of the device that received restored files.	Restore ended
Internal IP address of requestor	The local IP address of the device that requested the file restoration.	Restore started
Investigated file size	The size of the downloaded file (in bytes).	File download
Investigated user	The user undergoing investigation.	File download
IP address description	The description of the trusted IP address.	IP address added IP address deleted
IP address value	The value of the trusted IP address.	IP address added IP address deleted
Local timestamp	The local time the file download or restore event occurred.	File download Restore ended Restore started ZIP file downloaded
MD5 hash	The MD5 hash of the file contents.	File download Sharing permission removed Temporary file access granted Temporary file access revoked
Name	The name of the item at the time the event occurred. Note that the name of the item can be changed later.	API client created API client deleted API client permissions assigned API client permissions revoked API client secret reset Case archived Case assignee changed Case closed Case deleted Case exported Case file event added Case file event removed Case subject changed
New account name description	The description of the account name after the change.	Account name changed
New account name value	The value of the account name after the change	Account name changed
New domain description	The description of the trusted domain after the change.	Domain changed
New domain value	The value of the trusted domain after the change.	Domain changed
New Git repository description	The description of the trusted Git repository after it was changed.	Git repository changed
New Git repository value	The value of the trusted Git repository after it was changed.	Git repository changed
New IP address description	The description of the trusted IP address after it was changed.	IP address changed
New IP address value	The value of the trusted IP address after it was changed.	IP address changed
New Slack Workspace description	The description of the trusted Slack Workspace after it was changed.	Slack Workspace changed
New Slack Workspace value	The value of the trusted Slack Workspace after it was changed.	Slack Workspace changed
New trusted scope - cloud share	The cloud storage services that are trusted for file sharing after the change.	Domain changed
New trusted scope - cloud sync	The cloud storage services that are trusted for file sync after the change.	Domain changed
New trusted scope - email share	The email services that are trusted after the change.	Domain changed
New trusted scope - file share	The value of the file share trusted scope after it was changed: enabled Activity is trusted. disabled Activity is not trusted.	Domain changed
New URL description	The description of the trusted specific URL after it was changed.	URL changed
New URL value	The value of the trusted specific URL after the change.	URL changed
New value	The value of the data after the event.	API client description changed API client name changed External attributes change External reference change Local auth only change Name change Username change Watchlist name changed
Note	The note on the alert.	Alert note edited Alert state changed
Notes	The changed user profile notes that describe the reasons for monitoring the user in the watchlist.	Risk profile notes changed
Notification settings	The notification settings for the alert rule.	Alert rule created Alert rule edited
Number of files restored	The total number of files restored in the event.	Restore ended
Number of files that failed to restore	The total number of files that were not successfully restored in the event.	Restore ended
Old value	The value of the data before the event.	API client description changed API client name changed External attributes change External reference change Local auth only change Name change Username change
Organization ID	The ID of the organization to which the authentication provider is assigned.	Identity provider assigned to org Identity provider deleted Identity provider removed from org
Organization mapping type	The type of organization mapping used for the SCIM provisioning provider.	SCIM provisioner configuration updated SCIM provisioner created
Owner of device data pushed to	The Code42 username of the person that received restored files.	Restore started Restore ended
Owner uid of device data pushed to	The Code42 unique ID (userUid) of the person that received restored files.	Restore ended Restore started
Previous account name description	The description of the account name before it was changed.	Account name changed
Previous account name value	The value of the account name before it was changed.	Account name changed
Previous assignee	The Code42 username of the previous case assignee.	Case assignee changed
Previous assignee user UID	The Code42 unique UID (userUid) of the previous case assignee.	Case assignee changed
Previous domain description	The description of the trusted domain before it was changed.	Domain changed
Previous domain value	The value of the trusted domain before it was changed.	Domain changed
Previous Git repository description	The description of the trusted Git repository before it was changed.	Git repository changed
Previous Git repository value	The value of the trusted Git repository before it was changed.	Git repository changed
Previous IP address description	The description of the trusted IP address before it was changed.	IP address changed
Previous IP address value	The value of the trusted IP address before it was changed.	IP address changed
Previous score	The previous risk score value.	Risk setting changed
Previous Slack Workspace description	The description of the trusted Slack Workspace before it was changed.	Slack Workspace changed
Previous Slack Workspace value	The value of the trusted Slack Workspace before it was changed.	Slack Workspace changed
Previous subject	The Code42 username of the previous case subject.	Case subject changed
Previous subject user UID	The Code42 unique UID (userUid) of the previous case subject.	Case subject changed
Previous trusted scope - cloud share	The cloud storage services that were trusted for file sharing before the change.	Domain changed
Previous trusted scope - cloud sync	The cloud storage services that were trusted for file sync before the change.	Domain changed
Previous trusted scope - email share	The email services that were trusted before the change.	Domain changed
Previous trusted scope - file share	The value of the file share trusted scope after it was changed: enabled Activity is trusted. disabled Activity is not trusted.	Domain changed
Previous URL description	The description of the trusted specific URL before it was changed.	URL changed
Previous URL value	The value of the trusted specific URL before it was changed.	URL changed
Previous value	The value of the item before it was changed.	Watchlist name changed
Provider entity ID	The entity ID submitted by the authentication provider to the identity provider.	Identity provider created Identity provider updated
Provider type	The type of SCIM provisioning provider (default or Code42 User Directory Sync).	SCIM provisioner configuration updated SCIM provisioner created
Provisioner ID	The unique ID of the provisioning provider.	SCIM provisioner created SCIM provisioner deleted SCIM provisioner configuration updated SCIM provisioner credentials changed
Purged path	The path that was purged. The following message appears when the purged path is suppressed by the person running the `purge.path` command: CLI command path display suppressed	Path purged
Query parameters	The parameters of the Forensic Search. For more information about individual parameters shown, see the File event metadata reference or the Forensic Search API.	Forensic Search query
Recommended score	The Code42 default score value.	Risk setting changed Risk setting created
Restore ID	The unique ID of a file restoration. The same restore ID will appear on a Restore started and Restore ended event.	Restore ended Restore started ZIP file download
Result	The result of the file restore event: CANCELED The restore was canceled before it could be completed. SUCCESS The restore completed successfully.	Restore ended
Risk factor	The risk factors that were added to or removed from a user in the watchlist.	Risk factor added Risk factor removed
Risk indicator	The name of the risk indicator.	Risk factor added Risk factor removed Risk setting changed Risk setting created
Role mapping type	The type of role mapping (manual or group).	SCIM provisioner configuration updated SCIM provisioner created
Role names	The roles assigned to or revoked from a user.	User roles assigned User roles revoked
Roles assigned to groups	The roles assigned to users within groups at provisioning time.	SCIM provisioner configuration updated
Score	The current risk indicator severity.	Risk setting changed Risk setting created
Search type	The kind of Forensic Search performed: query A search performed in Forensic Search. export An export to a comma-separated values list. grouping A search that returns results for a particular field (Forensic Search API only).	Forensic Search query
SHA256 hash	The SHA256 hash of the file contents.	File download Sharing permission removed Temporary file access granted Temporary file access revoked
Signature algorithm	The cryptographic signature algorithm for the checksum of the contents of the SAML request. For more information about signature algorithms, see the W3 XML Security Algorithm Cross-Reference.	Identity provider created Identity provider updated
Slack Workspace description	The description of the affected trusted Slack Workspace.	Slack Workspace added Slack Workspace deleted
Slack Workspace value	The value of the affected trusted Slack Workspace.	Slack Workspace added Slack Workspace deleted
Start date	The start date of a user.	Risk profile start date changed
State	The state of the alert after the change: Open The alert has not been reviewed. In Progress The alert is under review. Pending response Response to the alert is pending. Dismissed The alert is resolved.	Alert state changed
Subject	The Code42 username of the subject of the case subject.	Case archived Case assignee changed Case closed Case deleted Case file event added Case file event removed Case subject changed
Subject user UID	The Code42 unique UID (userUid) of the case subject.	Case archived Case assignee changed Case closed Case deleted Case file event added Case file event removed Case subject changed
Sub-type	The type of file restoration: Device Indicates an administrator or user used the Code42 console to restore files to a device. In the export file, this subtype is shown as PUSH. Device migration Indicates a user restored files to a new device when they replaced their old device. Legal hold Indicates an administrator collected files for a Legal Hold. Restore files Indicates a user used the Code42 agent to restore files to their device. In the export file, this subtype is shown as STANDARD. User profile Indicates a user restored their USMT user profile to a new device when they replaced their old device. In the export file, this subtype is shown as USMT_PROFILE.	Restore ended Restore started
Sync user	The username in the provisioning provider whose credentials are used for provisioning synchronization.	SCIM provisioner created
Total files	The total number of exported files.	Case exported
Total file size for all files	The combined size of all exported files.	Case exported
Trusted scope - cloud share	The cloud storage services that are trusted if the user they're shared with is on this domain.	Domain added Domain deleted
Trusted scope - cloud sync	The cloud storage services that are trusted if the username signed in to the cloud sync app is on the domain.	Domain added Domain deleted
Trusted scope - email share	The email services that are trusted if the email recipient is on the domain.	Domain added Domain deleted
Trusted scope - file share	Whether file upload activity is trusted if the domain is included in the browser URL or tab title: enabled Activity is trusted. disabled Activity is not trusted.	Domain added Domain deleted
Updated at	When the SCIM provisioning provider was updated.	SCIM provisioner configuration updated
Updated local auth status	The authentication method was changed for the user: true The user is authenticated as a local user (Code42-based authentication). false The user is authenticated by SSO.	Local auth only change
URL description	The description of the affected trusted specific URL.	URL added URL deleted
URL of ZIP restore	The URL of the ZIP file downloaded in the file restoration process.	ZIP file downloaded
URL value	The value of the affected trusted specific URL.	URL added URL deleted
User IDs	The Code42 unique IDs of users.	Excluded users added to watchlist definition Excluded users removed from watchlist definition Included users added to watchlist definition Included users removed from watchlist definition
Username attribute	The username attribute in the authentication provider's attribute mapping.	Federation created Federation updated Identity provider created Identity provider updated
Username from name ID	Whether the username attribute in the authentication provider's attribute mapping is derived from the user ID (true or false).	Federation created Federation updated Identity provider created Identity provider updated
Usernames	Code42 usernames.	Excluded users added to watchlist definition Excluded users removed from watchlist definition Included users added to watchlist definition Included users removed from watchlist definition
Users added	The Code42 usernames of individuals added to an alert rule.	Users added to alert rule
Users removed	The Code42 usernames of individuals removed from an alert rule.	Users removed from alert rule
User that owned the data	The Code42 username of the person who owned the files that were restored.	Restore ended Restore started
User that owns the file	The owner of the downloaded file.	File download
User type that owned the data	The type of user who owned the files that were restored, either a Code42 user or Code42 support user.	Restore ended Restore started
User uid that owned the data	The Code42 unique UID (userUid) of the person who owned the files that were restored.	Restore ended Restore started
Vectors	The exfiltration vectors of the alert rule.	Alert rule created Alert rule edited
Watchlist ID	The ID of the watchlist associated with the event.	Department added to watchlist definition Department removed from watchlist definition Excluded users added to watchlist definition Excluded users removed from watchlist definition Groups added to watchlist definition Groups removed from watchlist definition Included users added to watchlist definition Included users removed from watchlist definition User added to watchlist membership User removed from watchlist membership Watchlist created Watchlist definition changed Watchlist deleted Watchlist description changed Watchlist name changed Watchlist removed from alert rule
Watchlist name	The name of the watchlist asosciated with the event.	Department added to watchlist definition Department removed from watchlist definition Excluded users added to watchlist definition Excluded users removed from watchlist definition Groups added to watchlist definition Groups removed from watchlist definition Included users added to watchlist definition Included users removed from watchlist definition User added to watchlist membership User removed from watchlist membership Watchlist created Watchlist definition changed Watchlist deleted Watchlist description changed Watchlist removed from alert rule
Watchlist type	The name of watchlist involved in the event.	Department added to watchlist definition Department removed from watchlist definition Excluded users added to watchlist definition Excluded users removed from watchlist definition Groups added to watchlist definition Groups removed from watchlist definition Included users added to watchlist definition Included users removed from watchlist definition User added to watchlist membership User removed from watchlist membership Watchlist created Watchlist definition changed Watchlist description changed Watchlist deleted
Where was restore initiated	The location where the restore process was triggered: CONSOLE Restore was initiated from the Code42 console. AGENT Restore was initiated from the Code42 agent.	Restore ended Restore started

Overview

Considerations

Event details

Event

User

Additional event details

Related topics