Organizations - Endpoint Data Collection reference

Overview

The Endpoint Data Collection settings identify the exfiltration vectors monitored for risky activity. Incydr automatically collects all metadata associated with the files involved in such activity. You can also collect the contents of those files, when available, to provide important context during investigations.

Endpoint Data Collection settings

To view an organization's endpoint data collection settings:

Select Administration > Environment > Organizations.
Select an organization.
Click the Endpoint Data Collection tab. If there's no Endpoint Data Collection tab in your environment, select the Insider Risk tab and go to the Endpoint data collection section.

Endpoint Data Collection settings

Item	Description
a	Collect file metadata	Identifies the vectors monitored for file exfiltration. All vectors are enabled by default. If you need to disable a vector, contact our Technical Support Engineers. Removable media Scanning all removable media (such as USB drives or SD cards) for file metadata. Cloud sync applications Detection of files that are synced to cloud storage using these apps installed on the endpoint: Box Box Drive (Mac only) Dropbox Google Drive for Desktop (requires Code42 agent version 1.4.0 or later) iCloud OneDrive Code42 watches a personal OneDrive account and up to two OneDrive for Business accounts on each device Browser and other application activity Detection of files accessed by web browsers and other applications (for example, uploading attachments to web-based email or downloading files via FTP). This may also include other instances of apps accessing a file, such as opening a local file to view it in a web browser without actually uploading it. Code42 requires macOS permissions to detect file upload destinations To detect Browser and other Application Activity, you must take action to grant Code42 permission on Mac devices to detect the window title and URL active at the time a file is uploaded. For details, follow the steps in macOS permissions for the insider risk agent. Printers Detects files sent to printers and captures an image of the printed file. All Mac and Linux agents are supported. Windows has early access support for devices with insider risk agent version 1.8.0 and later.
b	Collect exfiltrated file contents	Identifies whether Code42 collects the contents of the file itself when that file is involved in possible exfiltration activity. Enabled: Contents of files involved in exfiltration activity are collected and accessible in the file event details. File contents are retained for the Event data retention period specified in your product plan. To use content inspection, Collect exfiltrated file contents* must be enabled.* Disabled: Contents of files involved in exfiltration activity are not collected. Disabling this setting can help meet compliance requirements by not collecting file contents in organizations where users handle especially sensitive information. However, even when exfiltrated file contents are not collected, file metadata is still captured for all exfiltration vectors enabled above.
c	Edit	Click to update the Collect exfiltrated file contents settings. When the panel opens: If applicable, use the slider to identify whether the organization inherits these settings from its parent organization. This slider configures the organization to take on the security settings of the organization defaults (for top-level or system-wide organizations) or its parent organization. When enabled, settings must be edited at the top-level organization default or parent organization level. This slider is not available for the top-level organization. Update the setting. Click Save.

Item

Description

a

Collect file metadata

Identifies the vectors monitored for file exfiltration. All vectors are enabled by default. If you need to disable a vector, contact our Technical Support Engineers.

Removable media

Scanning all removable media (such as USB drives or SD cards) for file metadata.

Cloud sync applications

Detection of files that are synced to cloud storage using these apps installed on the endpoint:

Box
Box Drive (Mac only)
Dropbox
Google Drive for Desktop (requires Code42 agent version 1.4.0 or later)
iCloud
OneDrive
Code42 watches a personal OneDrive account and up to two OneDrive for Business accounts on each device

Browser and other application activity

Detection of files accessed by web browsers and other applications (for example, uploading attachments to web-based email or downloading files via FTP).
This may also include other instances of apps accessing a file, such as opening a local file to view it in a web browser without actually uploading it.

Code42 requires macOS permissions to detect file upload destinations
To detect Browser and other Application Activity, you must take action to grant Code42 permission on Mac devices to detect the window title and URL active at the time a file is uploaded. For details, follow the steps in macOS permissions for the insider risk agent.

Printers

Detects files sent to printers and captures an image of the printed file.
All Mac and Linux agents are supported. Windows has early access support for devices with insider risk agent version 1.8.0 and later.

b

Collect exfiltrated file contents

Identifies whether Code42 collects the contents of the file itself when that file is involved in possible exfiltration activity.

Enabled: Contents of files involved in exfiltration activity are collected and accessible in the file event details. File contents are retained for the Event data retention period specified in your product plan.
To use content inspection, Collect exfiltrated file contents must be enabled.
Disabled: Contents of files involved in exfiltration activity are not collected. Disabling this setting can help meet compliance requirements by not collecting file contents in organizations where users handle especially sensitive information. However, even when exfiltrated file contents are not collected, file metadata is still captured for all exfiltration vectors enabled above.

c

Edit

Click to update the Collect exfiltrated file contents settings.

When the panel opens:

If applicable, use the slider to identify whether the organization inherits these settings from its parent organization.
This slider configures the organization to take on the security settings of the organization defaults (for top-level or system-wide organizations) or its parent organization. When enabled, settings must be edited at the top-level organization default or parent organization level. This slider is not available for the top-level organization.
Update the setting.
Click Save.

Overview

Endpoint Data Collection settings

Related topics