Overview
This tutorial explains how to enable endpoint monitoring and file metadata collection to capture user file activity so you can start using Incydr to detect and respond to insider risks.
- Endpoint monitoring captures file activity anywhere on a user's device, not just within the user's backup file selection, including activity on removable media, in cloud sync folders, and uploads via web browsers and other applications.
- File metadata collection captures all file activity on a device, which enables you to search file metadata to gain a clearer understanding of file activity throughout the organization.
This article does not apply to the Incydr Professional, Enterprise, and Horizon product plans. For these plans, see the Endpoint data collection reference guide.
Considerations
To enable endpoint monitoring and file metadata collection:
Steps
Step 1: Lock archive encryption key settings
Endpoint monitoring and file metadata collection require standard archive encryption. Before enabling these settings, lock the Archive Encryption Key setting to prevent users or administrators from changing it later.
Disabled inheritance
If you
disable inheritance for an organization, that organization is not affected by changes to its parent organization.
- Sign in to the Code42 console.
- Go to Administration > Environment > Organizations.
- Select an organization.
- From the action menu, select Device Backup Defaults.
- In the General section, deselect Use device defaults from parent.
- Select the Security tab.
- In the Archive Encryption Key section:
- Deselect Use default archive encryption key setting.
- Verify that Standard is selected.
- Click the Lock icon to prevent users from changing this setting.
- Review the confirmation message and click OK.
- Click Save.
Step 2: Enable endpoint monitoring and file metadata collection
Start with a test organization
Enable these settings in a small, test organization first. This helps ensure that user devices and activity monitoring and reporting are performing as expected. Once you see the desired results with a small number of users, then enable endpoint monitoring and file metadata collection for additional organizations.
If your Code42 environment contains more than 5,000 users, contact your Customer Success Manager (CSM) for assistance creating a deployment strategy.
- Sign in to the Code42 console as a user with either the Cross Org Admin or Org Admin role.
- Select Administration > Environment > Organizations.
- Select an organization.
- From the action menu, select Edit.
- Select Endpoint Monitoring.
- Deselect Inherit settings from parent, if necessary.
- Select Enable endpoint monitoring.
- Select all detection types. For more details, see Endpoint Monitoring settings reference.
- Removable media: Monitors file activity on removable media, such as USB drives or SD cards.
- Cloud Sync Applications: Monitors file activity in folders on the device used for syncing with cloud services.
- Browser and other Application Activity: Identifies files opened in apps commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl.
Code42 requires macOS permissions to detect file upload destinations
If you enable
Browser and other Application Activity detection, you must take action to grant Code42 permission on Mac devices to detect the
window title and URL active at the time a file is uploaded. For details, follow the steps in
Grant Code42 permissions to macOS devices.
- Printers: Identifies files sent to printers. Mac and Linux only.
- File Metadata Collection: Provides visibility into all file activity by collecting detailed metadata for all files on user devices, and in supported cloud services and email providers.
- Click Save to immediately apply your changes to all devices in this organization and all of its inheriting child organizations.
Within five minutes, devices start scanning files and sending file metadata to Code42. File events typically start appearing in Forensic Search and Alerts within 15 minutes, while file events may take up to an hour to start appearing in the Risk Exposure dashboard and User Profiles. For more details, see Initial file metadata collection scan FAQs.
Incydr displays data for users in all organizations
Visibility of activity captured by Incydr is not limited by your
Code42 organization hierarchy.
Code42 organizations only control endpoint settings related to file preservation (backup), agent deployment, and identity management. Users with
roles that allow access to Incydr features (such as the Risk Exposure dashboard, Alerts, and Forensic Search) can view insider risk data for users in all organizations.

Next steps
Review file activity
Code42 Incydr provides a variety of tools to review file activity, including dashboards, user profiles, alerts, detection lists, and advanced ad-hoc search capabilities. For more details about these tools, see our guides for capturing and reviewing suspicious activity.
Add cloud and email data connections (optional)
If your product plan includes additional cloud or email data sources (for example, Google Drive, Microsoft OneDrive, Gmail, or Microsoft Office 365 email), you must authorize Code42 to access this data. For instructions, see Introduction to adding data connections.
Advanced configuration steps
Advanced settings
The steps below are optional configuration settings, and are not required to start capturing file activity. If you want to configure any of these items to override the Code42 defaults, click the + icon next to each step for detailed instructions.
Enable automatic file scan for removable media
By default, endpoint monitoring does not automatically perform a file scan when a removable drive is detected. This prevents the collection of data on removable media that you may not want to monitor. However, you can enable this automatic file scanning if desired.
- Call the Code42 API with the following curl command:
curl -i -X PUT -H 'Content-Type: application/json' -d '{"packets": [{"key": "org-securityTools-device-detection-scan-enable","value": "true","locked": true}]}' -H 'Authorization: Bearer <auth_token>
' https://<request_url>
/api/v1/OrgSettings/<orgId>
Setting "locked" to true locks this setting so that it cannot be overridden at the user level.
Replace the following entries with the values for your Code42 environment (do not include the brackets in your request):
-
To verify that scanning is enabled, use the following curl command to get all the settings for the organization:
curl -i -X GET https://<request_url>
/api/v1/OrgSettings/<OrgID>
-H 'Authorization: Bearer <auth_token>
'
- Search the output for the "org-securityTools-device-detection-scan-enable" key to verify that its value is set to "true".
Exclude paths from monitoring
You can exclude paths of personal cloud services and removable media if you do not want to monitor them. This can reduce both the amount of unwanted monitoring data and the processing load on user devices.
If File Metadata Collection is enabled, exclusions for paths of cloud services do not apply. To exclude paths from File Metadata Collection, see File Metadata Collection exclusions instead.
Updates overwrite existing values
The Code42 API not does not automatically add to existing values, so before adding new exclusions, you must first obtain the list of any existing exclusions and then re-submit that list with your new additions.
View existing exclusions
Use the GET
method to view existing exclusions. The OrgSettings
resource also contains keys for numerous other Code42 settings. Therefore, to view only the monitoring exclusions, you must include the org_securityTools_detection_monitoring_exclusions
key as a query parameter.
The example below assumes basic familiarity with curl commands. Use this as a template to create a command specific to your Code42 environment:
curl -X GET \
'<request_url>
/api/v1/OrgSettings/<OrgID>
?keys=org_securityTools_detection_monitoring_exclusions' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H 'Authorization: Bearer <auth_token>
'
- Replace
<request_url>
with the address of your Code42 environment (do not include the brackets in your request).
- Replace
<OrgID>
with the numeric ID of the organization you want to update (do not include the brackets in your request). To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
- Replace
<auth_token>
with an authentication token.
- Execute the curl command in your command-line tool of choice. When prompted, enter your password.
The Code42 API returns the existing exclusions. If no exclusions exist yet, the data
object in the response is empty.
Update or add exclusions
- Call the Code42 API with the following curl command:
curl -i -X PUT -H 'Content-Type: application/json' -d '{"packets":[{"key":"org_securityTools_detection_monitoring_exclusions","value":"{\"windows\":[\"<regEx1>\",\"<regEx2>\"],\"macintosh\":[\"<regEx>\",\"<regEx2>\"]}","locked":true}]}' -H 'Authorization: Bearer <auth_token>
' <request_url>
/api/v1/OrgSettings/<orgId>
Setting the "locked" value to "true" locks this setting so that it cannot be overridden at the user level. If you do not want to use this setting for certain users, you may move the users to a separate child organization with its own setting.
Replace the following entries with the values of your Code42 cloud instance:
- To verify that exclusions are set, use the following curl command:
curl -i -X GET -H 'Authorization: Bearer <auth_token>
' https://<admin_console_address>/api/v1/OrgSettings/<OrgID>?keys=org_securityTools_detection_monitoring_exclusions
- Verify the output values are set to the desired paths to exclude from monitoring.
Enable automatic file scanning of all cloud folder contents
Cloud folder sync activity is always monitored
Code42 offers two different types of cloud folder monitoring:
- File activity: Monitors activity in cloud sync folders (for example, moving new files into the Dropbox folder). This monitoring is on when the Cloud Sync Applications detection type is enabled and is not affected by the steps below.
- File contents: Scans all file contents in cloud sync folders. Scan results provide a snapshot of all files in the folder at the time of the scan, and are only visible via the CSV export and the Code42 Insider Threat App for Splunk. Scan results are not reported in the User Activity or Forensic Search sections of the Code42 console. Follow the steps below to enable file content scanning.
Scanning all contents of cloud folders is off by default. Because some cloud services provide on-demand file streaming, user devices may contain a shortcut file for every file the user has access to throughout the organization. As a result, the scan is disabled by default to reduce both the amount of unwanted monitoring data and the processing load on user devices. However, you can manually re-enable the cloud folder contents scan with the steps below.
Update the setting
The steps below assume basic familiarity with curl commands. Use the following example as a template to create a command specific to your Code42 environment:
curl -X PUT \
'<request_url>
/api/v1/OrgSettings/<OrgID>
' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H 'Authorization: Bearer <auth_token>
' \
-d '{
"packets": [
{
"key": "org-securityTools-cloud-detection-scan-enable",
"value": "true
",
"locked": true
}
]
}'
- Replace
<request_url>
with the address of your Code42 environment (do not include the brackets in your request).
- Replace
<OrgID>
with the numeric organization ID (do not include the brackets in your request). To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
- Replace
<auth_token>
with an authentication token.
- Set the
value
parameter to true
to enable cloud folder contents scanning. Set the value
parameter to false
to disable cloud folder contents scanning.
- Execute the curl command in your command-line tool of choice.
Confirm the setting
Use the GET
method to view the current value of the setting. The OrgSettings
resource also contains keys for numerous other Code42 settings. Therefore, to view only your customizations, you must include the org-securityTools-cloud-detection-scan-enable
key as a query parameter.
The example below assumes basic familiarity with curl commands. Use this as a template to create a command specific to your Code42 environment:
curl -X GET \
'<request_url>
/api/v1/OrgSettings/<OrgID>
?keys=org-securityTools-cloud-detection-scan-enable' \
-H 'cache-control: no-cache' \
-H 'content-type: application/json' \
-H 'Authorization: Bearer <auth_token>
'
- Replace
<request_url>
with the address of your Code42 environment (do not include the brackets in your request).
- Replace
<OrgID>
with the numeric organization ID (do not include the brackets in your request). To find this ID, export a CSV file containing the organization's data and locate the orgId value in the exported file.
- Replace
<auth_token>
with an authentication token.
- Execute the curl command in your command-line tool of choice. When prompted, enter your password.
The Code42 API returns details about the setting and includes either the key pair "value":"true"
(enabled) or "value":"false"
(disabled). If the setting has not been defined yet, the data
parameter in the response is empty.