Skip to main content

Instructor, no.

Incydr Professional, Enterprise, Horizon, and Gov F2, yes.

Incydr Basic, Advanced, and Gov F1, yes.

Code42 Support

Organizations - Endpoint Data Collection reference


Use the Endpoint Data Collection tab on the organization details screen to identify the exfiltration vectors you want to monitor for risky activity. Code42 automatically collects all metadata associated with the files involved in such activity. You can also collect the contents of those files, when available, to provide important context during investigations.

For Incydr Basic, Advanced, and Gov F1, this tab is labeled Insider Risk

Endpoint Data Collection settings

To view an organization's endpoint data collection settings:

  1. Select Administration > Environment > Organizations.
  2. From the Organizations table, click the organization you want to view.
  3. Click the Endpoint Data Collection tab.
    Organization details with annotations
Incydr displays data for users in all organizations
Visibility of activity captured by Incydr is not limited by your Code42 organization hierarchy.

Code42 organizations only control endpoint settings related to file preservation (backup), agent deployment, and identity management. Users with roles that allow access to Incydr features (such as the Risk Exposure dashboard, Alerts, and Forensic Search) can view insider risk data for users in all organizations.
Item Description
a Collect file metadata

Identifies the vectors Code42 monitors on endpoints for possible file exfiltration. You can enable or disable:

  • Removable media
    Scanning all removable media (such as USB drives or SD cards) for file metadata.
  • Cloud sync applications
    Detection of files that are synced to cloud storage using these apps installed on the endpoint:

    • Box
    • Box Drive (Mac only)
    • Dropbox
    • Google Drive for Desktop (requires Code42 agent version 1.4.0 or later)
    • iCloud
    • OneDrive
      Code42 watches a personal OneDrive account and up to two OneDrive for Business accounts on each device
  • Browser and other application activity
    Detection of files accessed by web browsers and other applications (for example, uploading attachments to web-based email or downloading files via FTP).

    This may also include other instances of apps accessing a file, such as opening a local file to view it in a web browser without actually uploading it.

    Code42 requires macOS permissions to detect file upload destinations 
    If you enable Browser and other Application Activity detection, you must take action to grant Code42 permission on Mac devices to detect the window title and URL active at the time a file is uploaded. For details, follow the steps in macOS permissions for the insider risk agent.


  • Printers
    Detects files sent to printers and captures an image of the printed file.
    All Mac and Linux agents are supported. Windows has early access support for devices with insider risk agent version 1.8.0 and later.

By default, Code42 automatically collects the metadata from files involved in exfiltration activity for the vectors you select.

  • All file activity
    Monitor all endpoint file activity. 
    (Available as an add-on for some product plans)
b Collect exfiltrated file contents

Identifies whether Code42 collects the contents of the file itself when that file is involved in possible exfiltration activity.

  • Enabled: Contents of files involved in exfiltration activity are collected and accessible in the file event details. File contents are retained for the Event data retention period specified in your product plan.
  • Disabled: Contents of files involved in exfiltration activity are not collected. Disabling this setting can help meet compliance requirements by not collecting file contents in organizations where users handle especially sensitive information. However, even when exfiltrated file contents are not collected, file metadata is still captured for all exfiltration vectors enabled above.
c Edit Edit settings

Click to update the Collect file metadata or Collect exfiltrated file contents settings.


When the panel opens:

  1. If applicable, use the slider to identify whether the organization inherits these settings from its parent organization.
    This slider configures the organization to take on the security settings of the organization defaults (for top-level or system-wide organizations) or its parent organization. When enabled, settings must be edited at the top-level organization default or parent organization level. This slider is not available for the top-level organization.
  2.  Update the settings.
  3. Click Save.


  • Was this article helpful?