Organizations - Endpoint Data Collection reference

Overview

Use the Endpoint Data Collection tab on the organization details screen to identify the exfiltration vectors you want to monitor for risky activity. Code42 automatically collects all metadata associated with the files involved in such activity. You can also collect the contents of those files, when available, to provide important context during investigations.

For Incydr Basic, Advanced, and Gov F1, this tab is labeled Insider Risk.

Endpoint Data Collection settings

To view an organization's endpoint data collection settings:

Select Administration > Environment > Organizations.
From the Organizations table, click the organization you want to view.
Click the Endpoint Data Collection tab.

Item	Description
a	Collect file metadata	Identifies the vectors Code42 monitors on endpoints for possible file exfiltration. You can enable or disable: Removable media Scanning all removable media (such as USB drives or SD cards) for file metadata. Cloud sync applications Detection of files that are synced to cloud storage using these apps installed on the endpoint: Box Box Drive (Mac only) Dropbox Google Drive for Desktop (requires Code42 agent version 1.4.0 or later) iCloud OneDrive Code42 watches a personal OneDrive account and up to two OneDrive for Business accounts on each device Browser and other application activity Detection of files accessed by web browsers and other applications (for example, uploading attachments to web-based email or downloading files via FTP). This may also include other instances of apps accessing a file, such as opening a local file to view it in a web browser without actually uploading it. Code42 requires macOS permissions to detect file upload destinations If you enable Browser and other Application Activity detection, you must take action to grant Code42 permission on Mac devices to detect the window title and URL active at the time a file is uploaded. For details, follow the steps in macOS permissions for the insider risk agent. Printers Detects files sent to printers and captures an image of the printed file. All Mac and Linux agents are supported. Windows has early access support for devices with insider risk agent version 1.8.0 and later. By default, Code42 automatically collects the metadata from files involved in exfiltration activity for the vectors you select. All file activity Monitor all endpoint file activity. (Available as an add-on for some product plans)
b	Collect exfiltrated file contents	Identifies whether Code42 collects the contents of the file itself when that file is involved in possible exfiltration activity. Enabled: Contents of files involved in exfiltration activity are collected and accessible in the file event details. File contents are retained for the Event data retention period specified in your product plan. Disabled: Contents of files involved in exfiltration activity are not collected. Disabling this setting can help meet compliance requirements by not collecting file contents in organizations where users handle especially sensitive information. However, even when exfiltrated file contents are not collected, file metadata is still captured for all exfiltration vectors enabled above.
c	Edit	Click to update the Collect file metadata or Collect exfiltrated file contents settings. When the panel opens: If applicable, use the slider to identify whether the organization inherits these settings from its parent organization. This slider configures the organization to take on the security settings of the organization defaults (for top-level or system-wide organizations) or its parent organization. When enabled, settings must be edited at the top-level organization default or parent organization level. This slider is not available for the top-level organization. Update the settings. Click Save.

Item

Description

a

Collect file metadata

Identifies the vectors Code42 monitors on endpoints for possible file exfiltration. You can enable or disable:

Removable media
Scanning all removable media (such as USB drives or SD cards) for file metadata.
Cloud sync applications
Detection of files that are synced to cloud storage using these apps installed on the endpoint:
- Box
- Box Drive (Mac only)
- Dropbox
- Google Drive for Desktop (requires Code42 agent version 1.4.0 or later)
- iCloud
- OneDrive
  Code42 watches a personal OneDrive account and up to two OneDrive for Business accounts on each device
Browser and other application activity
Detection of files accessed by web browsers and other applications (for example, uploading attachments to web-based email or downloading files via FTP).
This may also include other instances of apps accessing a file, such as opening a local file to view it in a web browser without actually uploading it.

Code42 requires macOS permissions to detect file upload destinations
If you enable Browser and other Application Activity detection, you must take action to grant Code42 permission on Mac devices to detect the window title and URL active at the time a file is uploaded. For details, follow the steps in macOS permissions for the insider risk agent.
Printers
Detects files sent to printers and captures an image of the printed file.
All Mac and Linux agents are supported. Windows has early access support for devices with insider risk agent version 1.8.0 and later.

By default, Code42 automatically collects the metadata from files involved in exfiltration activity for the vectors you select.

All file activity
Monitor all endpoint file activity.
(Available as an add-on for some product plans)

b

Collect exfiltrated file contents

Identifies whether Code42 collects the contents of the file itself when that file is involved in possible exfiltration activity.

Enabled: Contents of files involved in exfiltration activity are collected and accessible in the file event details. File contents are retained for the Event data retention period specified in your product plan.
Disabled: Contents of files involved in exfiltration activity are not collected. Disabling this setting can help meet compliance requirements by not collecting file contents in organizations where users handle especially sensitive information. However, even when exfiltrated file contents are not collected, file metadata is still captured for all exfiltration vectors enabled above.

c

Edit

Click to update the Collect file metadata or Collect exfiltrated file contents settings.

When the panel opens:

If applicable, use the slider to identify whether the organization inherits these settings from its parent organization.
This slider configures the organization to take on the security settings of the organization defaults (for top-level or system-wide organizations) or its parent organization. When enabled, settings must be edited at the top-level organization default or parent organization level. This slider is not available for the top-level organization.
Update the settings.
Click Save.

Overview

Endpoint Data Collection settings

Related topics