Code42 cloud release notes

Features

Enhancements and updates

June 29, 2022

• The Risk Exposure dashboard, Watchlists, User Profile, and All Users list now include the option to view the past 3 days of data (in addition to the existing time filters of 24 hours, 7 days, 30 days, and 90 days). 

June 28, 2022

• File event details now include 100s of individual source and destination values in over 35 different categories. These new destination and source category labels help you better identify risk by greatly reducing the number of file events listed as Uncategorized.

June 27, 2022

• The User Profile now shows the current and past cases associated with a user.

June 22, 2022

• Performance and stability improvements.
• Security updates.
• Removed support for Windows 10 version 2004 and Windows 10 version 1909. Devices using these versions will no longer upgrade to newer versions of the Code42 app.

June 21, 2022

• The Destination account name and Destination account type fields are now displayed in the file event details and are available as filters in Forensic Search. For cloud sync apps installed on user devices, these fields can help you better identify risk by indicating if the activity occurred in your corporate cloud account, or in a personal account you don't control.
• The v2/file-events API added new fields:
  • event.inserted: Indicates the date and time the event was received for indexing by Code42. This may differ slightly from the existing @timestamp field, which indicates the date and time the event was initially observed.
  • destination.domains: The domain section of the URLs reported in destination.tabs.url. 
  • source.domains: The domain section of the URLs reported in source.tabs.url. (Note: Although similar in name, this field has no relation to source.domain, which reports the FQDN or IP address of the user’s device.)

June 13, 2022

• File event details now display the Event ID and include a clickable icon to copy a link to these event details to your clipboard. This link enables you to easily share specific events with others (who have the required permissions to access Forensic Search), or to save the URL for your own future reference.

June 8, 2022

• Added event types to the Audit Log to record changes to watchlists:  
  • Department added to watchlist definition
  • Department removed from watchlist definition
  • Excluded users added to watchlist definition
  • Excluded users removed from watchlist definition
  • Groups added to watchlist definition
  • Groups removed from watchlist definition
  • Included users added to watchlist definition
  • Included users removed from watchlist definition

June 6, 2022

• In the Forensic Search CSV export, the column headings Email DLP Subject, Email DLP Recipients, Email DLP Sender, and Email DLP From changed to Email Subject, Email Recipients, Email Sender, and Email From. (DLP integration was deprecated in September, 2021.) If you use customized scripts to parse this CSV export, you may need to update them to account for the new column names.

Bug fixes

June 22, 2022

• Fixed an issue where the Windows Code42 app did not upgrade to the newest version in some Amazon WorkSpaces instances.
• Fixed a rare issue where searching from the Restore files screen in the Code42 app did not return any results. 

June 16, 2022

• Fixed an issue introduced to Forensic Search results on June 13th where the Source name and Destination name fields did not display the device's hostname as expected.  

Features

Enhancements and updates

May 25, 2022

• The Code42 console sign-in screen and navigation menu are updated to feature the Code42 Incydr logo.  
• A new Vectors for untrusted activity panel has been added to the Insider Risk Trends dashboard. This panel shows the vectors by which the most untrusted activity commonly occurs, organized by destination type. When combined with the other panels on the dashboard, this information can help fine-tune your trusted activity settings to better identify risky activity.

May 20, 2022

Added a new version (v2) of File Events APIs and deprecated the previous version (v1). For details, see the Code42 API release notes. 

May 19, 2022

• The Destination risk indicator activity over time and the File categories graphs on the Risk Exposure dashboard and User Profile now show file activity by the destination and file risk indicators. Previously, the activity was grouped into broader destination and file categories. Increase the risk score of destinations or files you're most concerned about to ensure those events are prioritized and more visible on the dashboards and User Profile.
• Added event types to the Audit Log to record changes to account names in trusted activity:  
  • Account name added
  • Account name changed
  • Account name deleted
• Added support for watchlists in the Code42 command line interface.   

May 18, 2022

• Changed the expiration period for deployment secrets from six months to one year.  
• Added the ability to grant API client write access to the Org endpoint. Write access enables the API client to perform actions such as blocking, unblocking, deactivating, and reactivating an organization. 
• In the Code42 API, removed the email_promo parameter from the User endpoint, as it was no longer in use.  
• Deprecated outdated APIs to improve security and enforce the principle of least privilege. If you have Code42 API scripts that use the deprecated APIs, update them to use the new APIs before the end-of-life date one year from deprecation. For more information about the API deprecations, see Code42 API release notes:
  • Deprecated UserBlock, UserDeactivation, UserRole, and UserMoveProcess APIs.  
  • Deprecated Org, OrgBlock, and OrgDeactivation APIs.  

May 12, 2022

• Added support for watchlists in py42.   

May 5, 2022

• From the user activity details in the Risk Exposure dashboard, All Users list, Watchlists, and User Profile, you can now view all file event metadata without navigating away to Forensic Search. Click the  icon next to an event to quickly assess risk and even view the file contents all without leaving the context of your investigation.

May 2, 2022

• For users who sign in to the US2 cloud, updated the Code42 console sign-in screen with links to sign in to other Code42 products.  

Bug fixes

May 18, 2022

• Performance and stability improvements.
• Fixed an issue where a legal hold preservation policy with no file selection defined did not collect files as expected in some situations (though files were still available via the backup archive). Now, the preservation policy collects files according to the backup file selection of the custodian's organization if no file selection is defined.
• Fixed an issue where users with the Security Administrator role were not able to access the File Event Exclusions settings in the Code42 console as expected.
• On Macs, fixed an issue where files could not be restored to the "original location" if the source backup device and target restore device had different processor types. Now, restoring to the original location between devices with M1 and Intel processors works as expected. 
• Fixed a rare issue where attempting to restore files from the Code42 console could fail with the message "Status: Error calculating totals. Try it again."
• Fixed a rare issue where users could not sign in to the Code42 app via Shibboleth single sign-on (SSO).
• Using the Code42 API to add security event and backup exclusions for Windows devices now automatically converts backslashes (\) in file paths to forward slashes (/). This fixes an issue where some exclusions were not applied properly.
• Fixed an issue where the Off hours risk indicator was not visible in some circumstances.
• For environments using single sign-on (SSO) authentication, fixed a rare issue where the Code42 app could repeatedly open prompts in a web browser to sign in to SSO. 

Enhancements and updates

April 26, 2022

• After determining that either a user's activity in Microsoft OneDrive or a user's report export activity in Salesforce is trusted, Code42 now assumes that any file activity by that same user in the same session is also trusted. This allows you to better focus investigations on untrusted file sharing and report downloads to devices that are not monitored by Code42.

April 25, 2022

• If an exfiltrated file could not be collected, the file event details now provide a more specific reason the file is unavailable to better assist with troubleshooting. 
• Added arrow icons at the top of the event details to enable easier navigation between events.
• Renamed the Report section of the file event details Salesforce report.
• For users who sign in to the US1 cloud, updated the Code42 console sign-in screen with links to sign in to other Code42 products.  

April 8, 2022

• Added the ability to add a saved search to a file exposure input in the Code42 Insider Threat app for Splunk.  

Features

Enhancements and updates

March 31, 2022

• Improved capture and retention of file contents within Cases. File contents are now collected in more situations and are retained for the duration of the investigation for all Incydr product plans. (Previously, Incydr Basic, Advanced, and Gov F1 required the file to be included in the backup file selection, and Incydr Professional, Enterprise, Horizon, and Gov F2 retained file contents according to the data retention policy for your product plan).

March 29, 2022

• Added event types to the Audit Log to record changes to alert rules and alerts:  
  • Alert note edited
  • Alert rule created
  • Alert rule deleted
  • Alert rule disabled
  • Alert rule edited
  • Alert rule enabled
  • Alert state changed
  • All users removed from alert rule
  • Users added to alert rule
  • Users removed from alert rule
  • Watchlist removed from alert rule

March 28, 2022

• To help you focus on legitimate exfiltration events, the Code42 Salesforce data connection no longer collects information about reports exported from your environment by third-party applications and no longer displays those events in Forensic Search. The data connection continues to monitor for any reports that are downloaded from Salesforce to either corporate or personal endpoints. 

March 21, 2022

• Alerts adds corporate email destinations to the alert rule builder to notify you when files are sent as attachments to untrusted recipients. These alerts help you respond quickly when vital business data is emailed to external recipients from your organization's email service. 

March 16, 2022

• Security updates. 
• Devices using unsupported macOS 10.14 Mojave will not upgrade to newer versions of the Code42 app. 

March 4, 2022

• Starting March 31, 2022, alert notifications that are older than your product plan's retention period are removed from the Review Alerts list and are unavailable. To save any alert notifications prior to the end of the retention period, use the Code42 API to export alert notification details to an external file or your security information and event management (SIEM) tool. See th Code42 Developer's Portal for more information on the Code42 API.
• Improved additional event details for the File download event type in the Audit Log:
  • Added the File name field
  • Renamed File name in storage to File path
  • Renamed File size in archive to File size  

March 2, 2022

• Older Google Drive files that inherited the deprecated "Public on the web" sharing permission are now identified as "Public via direct link" for the File exposure changed to and Exposure type fields in Forensic Search. Google deprecated its "Public on the web" sharing permission in April 2020 to increase security, and this change makes Forensic Search's identification of sharing activity for publicly available files consistent across all cloud service vendors.

Bug fixes

March 30, 2022

• For devices backing up to new storage destinations as part of recent changes to Code42 cloud infrastructure, fixed several issues, including:
  • Backups did not complete under certain circumstances.
  • Devices with a backup alert for no recent activity could remain in an alert state even after backup activity resumed. 
• Other performance and stability improvements.
• Security updates.

March 16, 2022

• On the Administration > Environment > Devices > Backup Alerts screen, fixed an issue where clicking a column heading to sort results did not work correctly. 
• Fixed a very rare issue where moving a user to a different organization could cause backup archives in cold storage for that user to use the retention period of the original organization. Now, archives in cold storage correctly use the retention period of the user's current organization. 
• Fixed an issue affecting Incydr Basic and Advanced product plans where changes to file event exclusions were not applied until after the Code42 service or the device restarted. Now, changes to exclusions are applied immediately. 
• Fixed a rare issue where a deployment policy could redirect user devices to the wrong Code42 URL, which caused device registration to fail.
• Fixed an issue where removing permissions from an API client did not properly save the new permissions. 
• Performance and stability improvements.

Features

Enhancements and updates

February 28, 2022

• Improved detection of Microsoft Office 365 email users that have Advanced Audit turned on. This may cause more users to be monitored by the Microsoft Office 365 email data connection.  
• To support building integrations with watchlists, added Watchlists APIs and deprecated Detection Lists APIs. 

February 26, 2022

• Added event types to the Audit Log to record changes to watchlists:   
  • Risk profile end date changed
  • Risk profile start date change
  • User added to watchlist membership
  • User removed from watchlist membership
  • Watchlist created
  • Watchlist definition changed
  • Watchlist deleted
  • Watchlist name changed

February 17, 2022

• Adds operating system icons to the Devices screen (Incydr Professional, Enterprise, and Horizon product plans only).  

February 16, 2022

• A new purge.path command in the Code42 console command line interface (CLI) enables you to remove specific files and paths from a backup archive. Removals are tracked in Audit Log with the event type Path purged. 
• In the Code42 API, removed the lastLoginDate parameter from the User resource.

February 9, 2022

• In Data Connections, adding a new connection now opens a panel that slides in from the right to maximize screen use and allow for future expansion.

February 2, 2022

• Added support for the Off hours risk indicator to the Incydr Enterprise, Horizon, and Gov F2 product plans.  
• Released Code42 User Directory Sync version 1.6.4. For details, see the Code42 User Directory Sync release notes.   

Bug fixes

February 16, 2022

• Performance and stability improvements.
• Fixed an issue where the Code42 app replace device wizard could fail to transfer settings to the new device. 
• Fixed a rare issue where trying to view a user's details or get files from a legal hold in the Code42 console resulted in an error. 
• Fixed an issue where using an API client to retrieve device information resulted in an unexpected 403 error in some situations.
• File event exclusions entered into the Code42 console now only accept a backslash (\) as a Windows path separator. This fixes an issue where paths entered with a forward slash (for example, C:/) were not properly excluded. 

Features

Enhancements and updates

January 26, 2022

• Updated the Log4j library from version 2.15.0 to version 2.17.1 to further mitigate CVE-2021-45105, CVE-2021-44832, and CVE- 2021-45046.
• To improve security and enforce the principle of least privilege, Code42 announces deprecation of outdated API features. If you have Code42 API scripts that use the deprecated items, update them to use the new methods before the end-of-life date one year from deprecation. For more information about these API deprecations, see Code42 API release notes:
  • Basic authentication is deprecated for authentication of APIs in the Code42 Developer Portal, and is replaced by API clients.
  • Inconsistent Code42 API URL paths are deprecated, and are replaced by simplified paths to provide consistency across all APIs. 
  • The v3_user_token scheme is deprecated, and is replaced by the Bearer scheme. 
  • The /c42api/v3/auth/jwt  endpoint is deprecated as a method for obtaining an OAuth token, and is replaced by API clients. 
  • APIs that do not support API clients are deprecated.  

• Removed the www-authenticate header from the Code42 API. As a result, making an API call with basic authentication is no longer supported in a web browser (for example, to download a CSV file). To make API calls, use programming, or tools like Postman or cURL. Also as a result of this change, basic authentication of Code42 APIs is no longer supported in PowerShell unless you set a request header for authentication.  

January 21, 2022

• Added a Case exported event type to the Audit Log to record when case information is exported to a PDF (contains only a case summary) or CSV file (includes file metadata details for all file events in the case).
• Version 1.2.0 of the Code42 Insider Threat App for Splunk is now available. This update includes: 
  • API client authentication. To continue ingesting data, update your account configuration to use an API client.
  • Proxy support
  • Alerts filtering by risk severity 
  • File exposure filtering by risk score
  • For full release information, see the release notes in Splunkbase.  

January 12, 2022

• Browser uploads and downloads from www.office.com are now correctly categorized as cloud storage activity in OneDrive.

Bug fixes

January 27, 2022

• Fixed an issue introduced with the Code42 cloud release on January 26th where some users were temporarily unable to back up or restore files. 

January 26, 2022

• Performance and stability improvements.
• Un-offering a backup destination no longer removes legal hold archives on that destination.
• Fixed an issue where the Code42 console only displayed the first page of legal hold matters.