File event metadata reference

Overview

This article provides detailed descriptions of all file event metadata captured by Incydr. File event metadata appears in many places, including Forensic Search, Cases, Alerts, and the Code42 API

File event metadata provides detailed visibility about insider risks caused by files:

  • Stored on user devices
  • Stored in corporate cloud storage services, such as Google Drive and Microsoft OneDrive
  • Synced to personal cloud storage services, such as Box, Dropbox, iCloud, and OneDrive
  • Uploaded via web browsers
  • Moved to removable media
  • Sent as email attachments in Microsoft Office 365 and Gmail
  • Sent to printers
Investigate before responding
Incydr identifies potential risks, and file event metadata is just one piece of information that contributes to an investigation. Use data from Incydr as a starting point to determine if the activity is a legitimate threat.

Considerations

  • Available file event metadata varies based on which detection types and data connections are enabled in your Code42 environment.
  • No single file event contains data for all categories and all fields listed below. The metadata applicable to each event varies based on the specifics of the file activity.
  • Some fields use different labels in the Code42 console, the Forensic Search CSV export, and the Code42 API JSON output. See the field name mapping section below for more details.
  • File event metadata appears throughout Incydr, but the images below show examples from Forensic Search.

File event metadata

File event metadata is grouped by category. The sections below provide details about the individual fields in each of these categories:

  • Risk
  • Response controls
  • Event
  • User
  • File
  • Source
  • Git
  • Destination
  • Process
  • Report

Forensic Search results with expanded file event details

Risk

The Risk section displays the overall risk severity for the event, the PRISM score, and all associated risk indicators. To learn more about risk indicators and the PRISM score is calculated, see Risk settings reference.

Forensic Search results - risk details

 

Item Description
Risk severity

The file event's overall risk severity, based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated
PRISM score

The PRISM score is based on the sum of all risk indicators applied to an event. A higher score denotes higher risk severity. 

There is a limit to how much each risk indicator type (File, Source, Destination, and User) contributes to the PRISM score. This helps prevent a single risk indicator from having a disproportionate effect on the event's severity. In addition, the total PRISM score is limited to 10.

As a result of these limits, the PRISM score may be lower than the sum of all individual risk indicators.

Scoring limits started July 18, 2024
Limits did not apply to file activity before July 18, 2024, so older events may have higher scores.
Risk indicators

List of risks that determine the overall severity and PRISM score for this event. For a list of all risk indicators, sign in to the Code42 console and select Risk settings.

Trusted activity

Indicates if this is activity you trust, as defined by your Data Preferences and any cloud data connections configured for monitoring by Incydr. (The Forensic Search filter shows the options Include and Exclude, and the file event details display the values True and False.)

  • Include / True: The activity occurred in a location on your list of trusted activity or was observed in a corporate cloud data service monitored by Incydr. Trusted activity may also include an additional explanation of why the event is trusted. For example: True - Trusted browser URL.
  • Exclude / False: The activity occurred in a location not on your list of trusted activity or was not observed in a corporate cloud data service monitored by Incydr.

Untrusted values

Lists values that do not match an entry in your list of Trusted activity. Depending on the details of the event, one or more of the following may appear:

  • Untrusted account names
  • Untrusted domains
  • Untrusted Git repository URIs
  • Untrusted Slack workspaces
  • Untrusted URL paths

Values are obtained from related metadata for the event. 

Click the add trust icon Add trust shield icon to quickly add the value to your list of trusted activity.

Only applies to event types that are evaluated for trust.

Response controls

Forensic Search results - Response Controls Details.png

The Response controls section displays event details for users on a watchlist with preventative controls enabled.

Item Description
Preventative control

Indicates if the file activity was allowed or blocked:

  • Allowed as trusted activity: The file upload or paste was allowed because the destination is on your list of trusted activity.
  • Temporarily allowed by user: The file upload or paste was allowed because the user confirmed they trust the destination. 
  • Blocked: The file upload or paste was not allowed.
User justification

When a user allows the activity, indicates the reason they selected:

  • For personal use
  • To collaborate with external customers or vendors
  • To complete tasks for my job
  • Other

Event

The Event section provides summary information about the event, including date observed, event type, and event source.

Forensic Search results - event details

Item Description

Date observed 

Endpoint file activity
Date and time that the Code42 service on the device detected an event for the file. The file metadata for the event is based on this detection time. The time is based on the device’s system clock and reported in Coordinated Universal Time (UTC).

File activity can be detected in two ways:

  • Real-time: Reported by the operating system as changes occur.
  • Scanner: The Code42 agent performs a scan once per day to identify any changes that might have been missed by the real-time file watcher. The scan runs once every 24 hours and cannot be configured.

Cloud file activity

Date and time that Code42 detected activity in the cloud service. This may not be the exact time the activity occurred, but should be within 5 minutes. The time is reported in Coordinated Universal Time (UTC).

Email file activity

Gmail and Microsoft Office 3651: Date and time Code42 was notified that an email was sent with an attachment2. This may not be the exact time the email was sent, but should typically be within 5 minutes. The time is reported in Coordinated Universal Time (UTC).

Event ID

A unique identifier for the event. Click the menu icon 3 dot menu icon next to the Event ID at the top of the the file event details and choose:

  • Copy link to event details to copy a shareable URL link for this event.
  • Copy event ID to copy the string value of the Event ID itself. Use this value to search for a specific event.
Event action 
Cloud or endpoint
  • Browser or app read: The file was opened in an app that is commonly used for uploading files, such as a web browser, Slack, AirDrop, FTP client, or curl. 
  • Created: The first event detected for this filename and file path on the device (for endpoint events) or in the cloud service (for cloud events). Created events are reported when a new file is created (endpoint) or uploaded (cloud).
  • Deleted: The filename for a previously detected file no longer exists in this file path on the device (for endpoint events) or in the cloud service (for cloud events). The metadata shown for this event is the metadata from the last Created or Modified event. Deleted file events are reported when a file is deleted from the Trash/Recycle Bin.
  • Downloaded: The file was downloaded from a web browser.
  • Emailed1: The file was sent as an email attachment2 via Gmail or Microsoft Office 365.
  • Inventoried: If you choose to Inventory monitored drives while configuring a cloud storage data connection, Incydr scans all existing files in your organization's cloud drives and creates an Inventoried event for each file. For more details, see Initial file metadata collection scan FAQs.
  • Modified
    • Endpoint events: File contents changed for a file Code42 already detected with this filename and file path on the device.
    • Cloud events: The cloud service detected a new file version. This occurs when file contents are modified.
  • Moved: The file was moved to a new location.
    • In some cases, deleting a file generates a Moved event because the file moved to the Trash/Recycle Bin. When the file is later permanently deleted, a Deleted event is generated.
    • Creating or modifying a file may generate a Moved event for some applications that create files in a temporary location on disk before saving them to the final location.
  • Pasted from clipboard to browser: Content was pasted into a web browser.
  • Printed: The file was sent to a printer.
  • Renamed: The file was renamed.
  • Shared: A file in a cloud service was shared with one or more users. Review the Share type for details on the sharing permissions.
Cloud sync
  • Created in sync folder: Same criteria as the Created event action above for endpoint events, but the event occurred in a folder that is syncing with a cloud service.
  • Deleted from sync folder: Same criteria as the Deleted event action above for endpoint events, but the event occurred in a folder that is syncing with a cloud service.
  • Modified in sync folder: Same criteria as the Modified event action above for endpoint events, but the event occurred in a folder that is syncing with a cloud service.
Git

Requires a supported product plan.

  • Git clone: The file was cloned from a Git repository. Limited to files in the most recent 1,000 commits.
  • Git fetch: The file was fetched from a Git repository.
  • Git pull: The file was pulled from a Git repository.
  • Git push: The file was pushed to a Git repository. 
Preventative controls
  • Blocked browser or app read: The file was blocked from being uploaded in the web browser.
  • Blocked paste from clipboard to browser: Clipboard content was blocked from being pasted into a web browser.
  • Blocked removable media from mounting: A removable media (USB Mass Storage) device was blocked from mounting on the user's endpoint.
Removable media file activity
  • Created on removable media: Same criteria as the Created event action above for endpoint events, but the event occurred on removable media.
  • Deleted from removable media: Same criteria as the Deleted event action above for endpoint events, but the event occurred on removable media.
  • Modified on removable media: Same criteria as the Modified event action above for endpoint events, but the event occurred on removable media.
  • Moved on removable media: Same criteria as the Moved event action above for endpoint events, but the event occurred on removable media.
  • Renamed on removable media: Same criteria as the Renamed event action above for endpoint events, but the event occurred on removable media.

Removable media volume activity

  • Ejected removable media: The user disconnected a removable media (USB Mass Storage) device from their endpoint.
  • Mounted removable media: The user connected a removable media (USB Mass Storage) device to their endpoint.
Unexpected Modified events for removable media
Due to how different operating systems record file system activity, Incydr can sometimes report unexpected Modified file events (especially for files moved to removable media). See Unexpected file events on removable media for more information on the cause of these events and how to identify previous file activity for the files involved.
Event observer 

The data source that captured the file event:

  • Endpoint: The file activity occurred on a user device.
  • Google Drive: The file activity occurred in Google Drive.
  • OneDrive: The file activity occurred in OneDrive.
  • Box: The file activity occurred in Box.
  • Gmail1: The file was sent as an attachment2 in Gmail.
  • Office 365 Email1: The file was sent as an attachment2 in Microsoft Office 365 email.
  • Salesforce: The file was downloaded as a report from Salesforce.

This field appears only if you are licensed for more than one data source.

Share type

Identifies sharing permission changes associated with the file event:

  • Anyone with the link: For most cloud storage services, the file is not listed in public search engines, but is available to anyone who accesses the link. Users do not need to be signed in to a cloud services account to see the file. (For older Google Drive files that have inherited the deprecated "Public on the web" permission, these files may be listed in public search engines and accessible to the entire World Wide Web.) The method used to share the file appears in the cloud service's user interface as follows:
    • Box: "People with the link"
    • Google Drive: "Anyone with the link" or "Public on the web" (deprecated)
    • Microsoft OneDrive: "Anyone with the link"
  • Anyone in your organization: The file is not publicly accessible, but is available to all users on your corporate domain. For Google Drive, this includes both files that users on your domain can find on their own, and files that require users to know the specific link. The method used to share the file appears in the cloud service's user interface as follows:
    • Box: "People in your company"
    • Google Drive: "Anyone at <your company> with the link"
    • Microsoft OneDrive: "People in <your company> with the link"
  • Shared with specific people: The file is shared directly with individual users. In most cases, each user a file is shared with is reported as an individual file event, so you may see multiple events for the same file if it is shared with more than one person.

Click View sharing or View and manage sharing to view a list of users the file is shared with. Code42 then requests the file's list of sharing permissions from the vendor and displays it in a new tab. If you have the Insider Risk Admin or Insider Risk Respond role, you can also revoke the file's sharing permissions on that tab to remove those users' access to the file.

1 Requires configuration of an email data connection.
In some cases, email signatures with attached images may generate unexpected file events.

User

The User section provides details about the user associated with the event.

Forensic Search results - user details

Item Description
Username

Indicates the user associated with the event for the following Event observer types:

  • Endpoint: The Code42 username used to sign in to the Code42 agent on the device. Code42 usernames must be email addresses.
  • Cloud: The cloud service username of the person who caused the event. In rare cases, the Username may be blank if it is not provided by the cloud service.
  • Email: The address of the person who sent the message.

If the Username matches a Code42 user, a View profile link is included. Click to review the User Profile, which highlights file activity for this user over the past 90 days that may indicate a file exfiltration risk.

Watchlist members

Returns all file events for users currently on the specified watchlist.

Search filter only. Does not appear in file event details.

User ID

Unique identifier for the user of the Code42 agent on the device.

Applies only to Endpoint events.

File

The File section provides a link to download the file, along with details such as the file's name, path, owner, and other metadata.

Forensic Search results - file event details

Item Description
Archive ID

Unique identifier for files identified as an archive, such as .zip files. This ID represents a specific exfiltration instance of the archive. If an archive is exfiltrated more than once, the Archive ID will be unique each time.

Directory ID

Unique identifier of the cloud drive or folder that contains the file. Search by this ID to find events for files within the same drive or folder.

Google Drive files that exist at the root level of the cloud drive display the value None.

Some cloud services allow users to add a file to multiple folders, so Directory ID may display a list of values.

Applies only to Cloud events.

Filename

The name of the file, including the file extension. If applicable, a link to download the file appears below the filename. To troubleshoot events where the file is unavailable, see "No file available for download" reasons.

File download risks
Incydr does not validate the contents of user-generated files. Use caution when downloading and interacting with these files.

Endpoint file activity

  • Insider risk agent: Exfiltrated files are available for download.
  • Backup agent: If the file is included in the user's Code42 backup file selection, or among files backed up by other users in your Code42 environment, the file is available for download.

You must be signed in as a user with the Security Center - Restore or Security Center - Restore - Endpoint role to download files.

Cloud file activity

Click Copy link  to copy the URL to the shared file. You may be able to use this link to open the file in the respective cloud service's file viewer. Access to the file depends on the following:

  • The file must still exist in the cloud service.
  • The file's sharing permissions.
    • Generally, you can access files shared with less restrictive permissions (such as the Anyone with the link sharing type). You may need to sign in to your cloud service's user account first. For example, for Box, you must be logged into the Admin Console for the link to be valid.
    • You cannot access files shared with specific people unless you are included in that list. If you have the Security Center - Restore or Security Center - Restore - Cloud role, you can request temporary access to the file by clicking View File. Code42 then requests temporary access to view the file on your behalf from the cloud service vendor. If the request is successful, Code42 adds you to the file's sharing permissions and opens the file in a new tab. (You may need to sign in to your cloud service's user account before viewing it.) Temporary access expires after 15 minutes.

Email file activity

Click Download file to download the attached file.

Report activity

Applies to Salesforce report downloads

Displays the predicted filename based on Salesforce naming conventions.

The Filename reported by Incydr may not exactly match the filename reported by Salesforce if:

  • The user is prompted by the web browser to name the downloaded file and chooses a different name.
  • The user exports a Details Only report. Details Only reports have a default filename of "report" plus a 13-number string. The first 10 digits are the epoch (UNIX) timestamp, and the last three digits are milliseconds. Incydr does not capture the milliseconds value so it appends three 0's instead. For example, if the actual downloaded filename on the user's device is report1642777476321, Incydr displays report1642777476000.
Delete file contents
From the options menu three dot options menu icon, select Delete file contents to remove the file contents from the file event details. This enables you to prevent other users in your organization (who have permission to view file event activity) from accessing particularly sensitive files.

Limitations
  • Does not remove the file from the original location (for example, the endpoint or the cloud service).
  • Does not remove the file from Cases.
  • Does not apply to files backed up by the backup agent.
File path

The file location on the user's device.

Endpoint file events only. Cloud and email events do not include a file path.

File category The type of file, as determined by the file extension and file contents. For example, .gif, .jpg, and .png files are categorized as Image files. For a complete list of file categories and the specific file types in each category, see Incydr file categories
File size

Size of the file.

Not available for Google file types (for example, Google Sheets or Google Docs) or Salesforce reports downloaded to an unmonitored device.

File owner

The name of the user who owns the file, as reported by the device's file system (for endpoint events) or the cloud service (for cloud events).

For files stored in a Google Shared Drive, the File owner reports the name of the drive and appends "(Shared Drive)." For example: Product Management (Shared Drive).

MD5 hash

The MD5 hash of the file contents. If the file cannot be hashed, an error message explains why.

Not available for:

  • Google file types (for example, Google Sheets or Google Docs).
  • Files in cloud services that have not been modified since Code42's initial extraction.
  • Files over 3 GB 
  • Salesforce reports downloaded to an unmonitored device.
SHA256 hash

The SHA256 hash of the file contents. If the file cannot be hashed, an error message explains why.

Not available for:

  • Google file types (for example, Google Sheets or Google Docs).
  • Files in cloud services that have not been modified since Code42's initial extraction.
  • Files over 3 GB 
  • Salesforce reports downloaded to an unmonitored device.
File created

File creation timestamp as reported by the device's operating system or the data connection. This appears in Coordinated Universal Time (UTC).

Mac and Windows NTFS devices only.

File modified

File modification timestamp as reported by the device's operating system or the data connection.

For endpoints, this only indicates changes to file contents. Changes to file permissions, file owner, or other metadata are not reflected in this timestamp. For cloud data connections, this timestamp reflects when the file's contents, sharing permissions, name, or storage location changed. This timestamp is not supported for for email data connections.

This appears in Coordinated Universal Time (UTC).

File classification
(not pictured)

File classification data, as reported by your external data classification vendor. Classification data contains two values:

  • Classification: The classification value applied to the file. For example: Confidential.
  • Vendor: The name of the vendor that classified the file. For example: Microsoft Information Protection (MIP).

A single file may have more than one classification.

If Microsoft co-authoring is enabled, Incydr cannot detect file classification data.  

File acquired from

Indicates where the file was acquired from. Click to view more details about the source, including:

  • Date observed
  • Event ID
  • Event action
  • Event observer
  • Filename 1
  • Git repository email 1
  • Git repository URI 1
  • Git repository user 1
  • MD5 hash 1
  • User name
  • Source category 1
  • Source name 1
  • Source domain 1
  • Source user
  • Source account name
  • Source account type
  • Active tab titles and URLs

If the same file was downloaded more that once, multiple sources may be listed.

Available as search filters in Forensic Search. For example, use the search filter File > File acquired from: Source domain in combination with other filters (such as Risk severity or Event action) to identify potential risk for files that came from a specific domain.

Parent archive ID

For files contained within an archive (such as a .zip file), the unique identifier for that archive; searching by Parent archive ID returns events for all files contained within that archive.

Password protected

For files contained within an archive (such as a .zip file), indicates if the archive is password protected.

Source

The Source section provides details about the origin of a file. Source details vary based on the event type. For example, the Source name for an upload event indicates the hostname of the user's device, while the Source name for a download event indicates the location where the download originated (for example, "Dropbox").

Forensic Search results - source event details

Each event type displays different metadata
No single event contains values for all items in the table below. For example, the image above does not include removable media metadata, because this event occurred in a web browser, not on removable media.
Removable media metadata
Available values vary based on the device manufacturer. In some cases, one or more values may not be supplied by the manufacturer or provided by the device's operating system.

That's why we provide multiple pieces of information for removable media events. For example, if a drive does not report a serial number, you may be able to reference a combination of Capacity, Device Partition ID, and other unique fields to confirm the drive's identity during an investigation. 
Item Description
Source category

The general category of where the downloaded file originated. To view all categories, select the Source > Source category filter in Forensic Search and review the list of possible values. A few of the most common categories are listed below as examples.

  • Business tools: The file was received from a business platform.
  • Cloud Storage: The file was received from a cloud service, either via a web browser download or synced via an installed app.
  • Device: The file was received from another device via AirDrop, or the file was uploaded to a cloud service via a sync folder on a device.
  • Email: The file was downloaded from an email provider via a web browser.
  • Messaging: The file was shared via a messaging service. 
  • Social Media: The file was shared via social media. This does not necessarily mean it's posted publicly; for example, the file could have been received in a direct message on LinkedIn, etc.
  • Source Code Repository: The file was downloaded from a location typically used for storing code files.
  • Uncategorized: The source could not be matched to a specific category.
  • Unknown: Unable to determine the source. On Macs, this may indicate Code42 does not have the required permissions to collect the source details.

If the user accessed more than one tab while downloads were in progress, the source category may indicate Multiple possibilities. Review the Active tab titles and URLs (below) to identify all possible sources.

Source name

Endpoint events

The hostname of the device, as reported by the device's operating system. The hostname may be different than the device name in the Code42 console.

To search for a hostname, you must enter the complete hostname. Wildcard searches are not supported.

Download events

The specific location where the file downloaded originated. Example names for some categories are listed below, but this is not a complete list:

Source Category Example Source Names
Business tools Salesforce
Cloud Storage Dropbox, OneDrive, Box
Device Clyde's iPhone, Carmen's MacBook Pro
Email Gmail, Outlook, Comcast
Messaging Slack, Teams, WhatsApp
Social Media Facebook, Twitter, Reddit
Source Code Repository Bitbucket, Github

If the user accessed more than one tab while downloads were in progress, the source name may indicate Multiple possibilities. Review the Active tab titles and URLs (below) to identify all possible sources.

Active tab titles and URLs

The name of the browser tab or title of the application window active at the time the file is read by the browser or other app. For web browsers, the URL of the active tab may also be included. This information helps determine the source of a downloaded file.

  • For Windows devices, the tab title and URL are collected automatically. For Mac devices, administrators must first authorize the Code42 agent to capture data from web browsers.
  • URLs are only supported in Chrome, Firefox, Chromium Edge, and Opera. Tab titles are supported for all browsers.
  • If the user accessed more than one tab while downloads were in progress, all tab titles/URLs visited during the download are listed.

If the tab title or URL cannot be captured, it is listed as Unavailable and may also display one of these reasons:

  • Browser or app may require a restart due to a pending upgrade: Due to a pending update, active tab titles and URLs may not be captured until the user restarts the browser or app.
  • Permissions not set: On Macs, Code42 requires specific permissions to obtain this data.
  • Metadata not supported for this application: The event occurred in an unsupported browser.
  • Metadata not used by this application: The event occurred in an application that doesn't use tab titles or URLs.
  • Metadata not supported for custom applications: Tab titles and URLs are not collected for your customized list of monitored applications.
Domain Fully qualified domain name (FQDN) for the user's device at the time the event is recorded. If the device is unable to resolve the domain name of the host, it reports the IP address of the host.
Email from

The display name of the sender, as it appears in the "From" field in the email. In many cases, this is the same as Email sender, but it can be different if the message is sent by a server or other mail agent on behalf of someone else.

Applies only to Emailed events. Visible only with licensing for one or more email data sources. Email details do not apply to endpoint or cloud events.

Email sender

The address of the entity responsible for transmitting the message. In many cases, this is the same as Email from, but it can be different if the message is sent by a server or other mail agent on behalf of someone else.

Applies only to Emailed events. Visible only with licensing for one or more email data sources. Email details do not apply to endpoint or cloud events.

IP address (public)

The external IP address of the user's device, as seen by Code42 via the device's outbound connection to the Code42 cloud.

If the IP address is not included in your list of in-network IP addresses, the Remote risk indicator is applied.

IP address (private) 

The IP address of the user's device on your internal network. This includes:

  • Network interfaces
  • Virtual network interface controllers (VNICs)
  • Loopback/non-routable addresses (for example, 127.0.01)

If there is more than one active network interface, this displays a list.

Operating system

Indicates the operating system of the device associated with the file event.

Applies only to endpoint events.

Removable media bus type

The type of removable media connection. For example: USB, eSATA, Thunderbird.

Applies only to removable media events.

Removable media capacity

The storage capacity of the removable media.
Applies only to removable media events.

Removable media vendor name

The brand name of the removable media. For example: Lexar, SanDisk, Seagate.

Applies only to removable media events.

Removable media device name

The volume name of the removable media.

Applies only to removable media events.

Removable media device media name

The media name of the device, as reported by the vendor/device. This is usually very similar to the Device Name, but can vary based on the type of device. For example, if the device is a hard drive in a USB enclosure, this may be the combination of the drive model and the enclosure model.

This value is not provided by all devices, so it may be null in some cases.

Applies only to removable media events.

Removable media device volume name

The name assigned to the volume when it was formatted, as reported by the device's operating system. This is also frequently called the "partition" name.

Applies only to removable media events.

Removable media device partition ID

A unique identifier assigned to the volume/partition when it was formatted. Windows devices refer to this as the VolumeGuid. On Mac devices, this is the Disk / Partition UUID, which appears when running the Terminal command diskUtil info.

Applies only to removable media events.

Removable media serial number

Serial number of the connected hardware, as reported by the device's operating system.

Applies only to removable media events.

Source account name

For cloud sync apps installed on user devices, indicates the name of the account where the file activity occurred. The account name can help you better identify risk by indicating if the activity occurred in your corporate cloud account, or in a personal account you don't control.

Applies only to OneDrive and Dropbox events.

Source account type

For cloud sync apps installed on user devices, indicates the type of the account where the activity occurred.

  • Personal: A personal (non-corporate) account for an individual user. This may indicate a greater risk of file exfiltration.
  • Business: A corporate account. To configure trusted activity settings for specific business accounts, see Trusted activity > Account name.

Applies only to OneDrive and Dropbox events.

Source identifier

A key:value pair used internally by Incydr to enable specific search queries. For example, in the Source Code dashboard, clicking the link to investigate in Forensic Search may automatically populate the Source identifier to return specific results.

In most cases, you do not need to manually define values for this filter.

Source user

For cloud sync apps installed on user devices, the name of the signed-in user. This additional context can help you determine whether the file is synced with an approved cloud service.

For example, the Source user could indicate if a file synced with Google Drive is being stored in your corporate Google Workspace, or in an unsanctioned personal Google account.

  • Not available for files synced to Dropbox.
  • For OneDrive events on Macs, usernames may occasionally contain underscores in place of non-alphanumeric characters. For example, the username  clyde.bailey@example.com may appear as clyde_bailey_example_com.

Validate removable media metadata
To confirm if a physical drive is the specific volume involved in a security event, connect the removable media to any device running Code42 agent version 7.7.0 or later, then follow the steps below to capture the metadata:

  1. Open the Code42 agent. If necessary, sign in.
  2. Enter the keyboard shortcut Ctrl+Shift+C (Windows and Linux) or Option+Command+C (Mac).
    The Code42 Commands window appears.
  3. Enter the command: removable.media.info to output a .txt file to the Desktop. Optionally, add a filepath to save to a different location (for example, removable.media.info C:\Users\Username\Documents).

A .txt file is created with metadata for all removable media connected to the device running the Code42 agent. Metadata includes: Product name, Serial number, Bus type, Capacity, Device name, Vendor name, Media name, Volume name, Partition GUID, Volume type, and Volume capacity.

Git

Git detection requires the insider risk agent and a supported product plan.

The Git section provides details about the Git activity associated with the event.

Forensic Search results - Git details

Item Description
Git event ID

A global unique identifier (GUID) generated by Incydr for this Git event. All files associated with this event have the same Git event ID. A single Git event can be associated with multiple file events.

Last commit hash

Hash value from the most recent commit in this Git event.

Repository URI Uniform Resource Identifier (URI) for the Git repository.
Repository user The username specified by the user who performed the Git event. This is a user-defined value and may differ from the credentials used to sign in to Git.
Repository email The email address specified by the user who performed the Git event. This is a user-defined value and may differ from the credentials used to sign in to Git.
Repository endpoint path

File path of the local Git repository on the user’s endpoint.

Destination

The Destination section provides details about the where a file was sent or moved. Destination details vary based on the event type.

Forensic Search results - destination event details

Each event type displays different metadata
No single event contains values for all items in the table below. For example, the image above does not include removable media metadata, because this event occurred in cloud storage, not on removable media.
Removable media metadata
Available values vary based on the device manufacturer. In some cases, one or more values may not be supplied by the manufacturer or provided by the device's operating system.

That's why we provide multiple pieces of information for removable media events. For example, if a drive does not report a serial number, you may be able to reference a combination of Capacity, Device Partition ID, and other unique fields to confirm the drive's identity during an investigation. 
Item Description

Active tab titles and URLs 

The name of the browser tab or title of the application window active at the time the file is read by the browser or other app. For web browsers, the URL of the active tab may also be included. This information helps determine the destination of an uploaded file.

  • For Windows devices, the tab title and URL are collected automatically. For Mac devices, administrators must first authorize the Code42 agent to capture data from web browsers.
  • URLs are only supported in Chrome, Firefox, Chromium Edge, and Opera. Tab titles are supported for all browsers.
  • If the user accessed more than one tab while uploads were in progress, all tab titles/URLs visited during the upload are listed.

If the tab title or URL cannot be captured, it is listed as Unavailable and may also display one of these reasons:

  • Browser or app may require a restart due to a pending upgrade: Due to a pending update, active tab titles and URLs may not be captured until the user restarts the browser or app.
  • Permissions not set: On Macs, Code42 requires specific permissions to obtain this data.
  • Metadata not supported for this application: The event occurred in an unsupported browser.
  • Metadata not used by this application: The event occurred in an application that doesn't use tab titles or URLs.
  • Metadata not supported for custom applications: Tab titles and URLs are not collected for your customized list of monitored applications.

Applies only to Browser or app read events.

Destination account name For cloud sync apps installed on user devices, indicates the name of the account where the file activity occurred. The account name can help you better identify risk by indicating if the activity occurred in your corporate cloud account, or in a personal account you don't control.

Applies only to OneDrive and Dropbox events.
Destination account type

For cloud sync apps installed on user devices, indicates the type of the account where the activity occurred.

  • Personal: A personal (non-corporate) account for an individual user. This may indicate a greater risk of file exfiltration.
  • Business: A corporate account. To configure trusted activity settings for specific business accounts, see Trusted activity > Account name.

Applies only to OneDrive and Dropbox events.

Destination category

The general category of where the file was sent. To view all categories, select the Destination > Destination category filter in Forensic Search and review the list of possible values. A few of the most common categories are listed below as examples.

  • Cloud Storage: The file was sent to a cloud service, either via a web browser upload or synced via an installed app.
  • Device: The file was sent to another device via AirDrop, moved to removable media, or downloaded from a cloud service into a sync folder on a device.
  • Email: The file was uploaded to an email provider via a web browser.
  • Messaging: The file was shared via a messaging service. 
  • Social Media: The file was shared via social media. This does not necessarily mean it's posted publicly; for example, the file could have been sent in a direct message on LinkedIn, etc.
  • Source Code Repository: The file was uploaded to a location typically used for storing code files.
  • Uncategorized: The destination could not be matched to a specific category.
  • Unknown: Unable to determine the destination. On Macs, this may indicate Code42 does not have the required permissions to collect the destination details.

If the user accessed more than one tab while uploads were in progress, the destination category may indicate Multiple possibilities. Review the Active tab titles and URLs to identify all possible destinations.

Applies to Browser or app read and Cloud storage upload events.

Destination name

The specific location where the file was sent. Example names for some categories are listed below, but this is not a complete list:

Destination Category Example Destination Names
Cloud Storage Dropbox, OneDrive, Box
Device Clyde's iPhone, Carmen's MacBook Pro, Unmonitored device (indicates a file was downloaded to a device not monitored by Incydr), Removable media
Email Gmail, Outlook, Comcast
Messaging Slack, Teams, WhatsApp
Social Media Facebook, Twitter, Reddit
Source Code Repository Bitbucket, Github

If the user accessed more than one tab while uploads were in progress, the destination name may indicate Multiple possibilities. Review the Active tab titles and URLs to identify all possible destinations.

Applies to Browser or app read and Cloud storage upload events.

Destination user

For endpoint sync folder events (occurred in a folder that is syncing with a cloud service):

The name of the user signed in to the cloud sync application on the device. This additional context can help you determine whether the file is synced with an approved cloud service.

For example, the User could indicate if a file synced with Google Drive is being stored in your corporate Google Workspace, or in an unsanctioned personal Google account.

  • Not available for files synced to Dropbox.
  • For OneDrive events on Macs, usernames may occasionally contain underscores in place of non-alphanumeric characters. For example, the username clyde.bailey@example.com may appear as clyde_bailey_example_com.

For cloud events:

The list of users granted to access the file by this event. Users who were granted access to the file prior to this event are not included. Click View to display a searchable list of usernames.

This only includes users the file is explicitly shared with. It does not capture users who only accessed a shared link.

This list can include:

  • Individual email addresses
  • Group email addresses
  • First and last name (for OneDrive users without an email address)

Google Drive users without email addresses (for example, service or integration accounts with sharing permissions) are not listed.

Destination identifier

A key:value pair used internally by Incydr to enable specific search queries. For example, in the Source Code dashboard, clicking the link to investigate in Forensic Search may automatically populate the Destination identifier to return specific results.

In most cases, you do not need to manually define values for this filter.

Email recipients

The email addresses of those who received the email. Includes the To, Cc, and Bcc recipients.

Applies only to Emailed events. Visible only with licensing for one or more email data sources. Email details do not apply to endpoint or cloud events.

Email subject

The subject of the email message.

Applies only to Emailed events. Visible only with licensing for one or more email data sources. Email details do not apply to endpoint or cloud events.

IP address (public)

The external IP address of the device that downloaded the file, as reported by the device's outbound connection to the Code42 cloud.

If the IP address is not included in your list of in-network IP addresses, the Remote risk indicator is applied.

Applies only to Downloaded events.

IP address (private)

The IP address of the device that downloaded the file on your internal network. This includes:

  • Network interfaces
  • Virtual network interface controllers (VNICs)
  • Loopback/non-routable addresses (for example, 127.0.01)

If there is more than one active network interface, this displays a list.

Applies only to Downloaded events.

Operating system

Indicates the operating system of the device associated with the file event.

Applies only to endpoint events.

Printer name

The name of the printer.

Applies only to Printed events.

Print job name

The name of the print job. This is often the name of the printed document. Click Download file to download an image of the printed file.

Applies only to Printed events.

Remote hostname The IP address or domain destination for files moved via file transfer tools, such as SFTP, SCP, FTP, and cURL.
Removable media bus type

The type of removable media connection. For example: USB, eSATA, Thunderbird.

Applies only to removable media events.

Removable media capacity

he storage capacity of the removable media.

Applies only to removable media events.

Removable media device media name

The media name of the device, as reported by the vendor/device. This is usually very similar to the Removable media device name, but can vary based on the type of device. For example, if the device is a hard drive in a USB enclosure, this may be the combination of the drive model and the enclosure model.

This value is not provided by all devices, so it may be null in some cases.

Applies only to removable media events.

Removable media device name

The volume name of the removable media.

Applies only to removable media events.

Removable media device partition ID

A unique identifier assigned to the volume/partition when it was formatted. Windows devices refer to this as the VolumeGuid. On Mac devices, this is the Disk / Partition UUID, which appears when running the Terminal command diskUtil info.

Applies only to removable media events.

Removable media device serial number

Serial number of the connected hardware, as reported by the device's operating system.

Applies only to removable media events.

Removable media device vendor

The brand name of the removable media. For example: Lexar, SanDisk, Seagate.

Applies only to removable media events.

Removable media device volume name

The name assigned to the volume when it was formatted, as reported by the device's operating system. This is also frequently called the "partition" name.

Applies only to removable media events.

Validate removable media metadata
To confirm if a physical drive is the specific volume involved in a security event, connect the removable media to any device running Code42 agent version 7.7.0 or later, then follow the steps below to capture the metadata:

  1. Open the Code42 agent. If necessary, sign in.
  2. Enter the keyboard shortcut Ctrl+Shift+C (Windows and Linux) or Option+Command+C (Mac).
    The Code42 Commands window appears.
  3. Enter the command: removable.media.info to output a .txt file to the Desktop. Optionally, add a filepath to save to a different location (for example, removable.media.info C:\Users\Username\Documents).

A .txt file is created with metadata for all removable media connected to the device running the Code42 agent. Metadata includes: Product name, Serial number, Bus type, Capacity, Device name, Vendor name, Media name, Volume name, Partition GUID, Volume type, and Volume capacity.

Process

The Process section provides details about the application and user associated with the file event.

Forensic Search results - process event details

Item Description

Active tab signed-in user

(not pictured)

The user signed in to the active tab where the event occurred. For example, the user signed in to Gmail. This may differ from the user account signed in to the browser itself.

Requires the Incydr browser extension.

Executable name

The path on disk of the executable, for example: \Device\Volume\Program Files\Google\Chrome\Application\chrome.exe

On Mac devices, AirDrop activity is indicated by the process name /usr/libexec/sharingd.

Incydr extension version

(not pictured)

The version of the Code42 Incydr extension installed when the event occurred.

Process user

The username of the process owner, as reported by the device's operating system.

Web browser name

(not pictured)

The web browser in which the event occurred.

Requires the Incydr browser extension.

Salesforce report

The Salesforce report section provides details about reports downloaded from Salesforce.

Visible only with licensing for the Salesforce data connection.

Forensic Search results - Salesforce report event details

Item Description
Report name

 The display name of the report.

  • Ad hoc reports display the Salesforce "Report Type" selected by the user when generating the report.

  • Saved reports display the name entered by the user upon saving the report.

For details about the name of the downloaded file, see the Filename > Report activity section above.

Report description

The description of the report.

Does not apply to ad hoc reports.

Report column headers

List of all column headers in the report. If there are more than 10 columns, a Show all link appears to display all columns.

User-created custom bucket fields for public reports are reported in the format: Source column ("user label"). For example, if a user creates a bucket column named "Size" to categorize customers based on the EMPLOYEE_COUNT field, Report column headers displays the value EMPLOYEE_COUNT ("Size").

The source column and user-defined label for custom bucket fields are unavailable for private reports saved in a user's personal folder in Salesforce. In this case, Salesforce's default identifier for the column (such as BucketField_12345678) appears instead.

Number of rows The total number of rows returned in the report.
Report type

Indicates if the report is Ad-hoc or Saved:

  • Ad-hoc reports are created and run by the user, which often denotes a temporary, custom report that does not include a Report name, Report description, or Report ID.
  • Saved reports were previously created and stored in Salesforce, and then run by the user.
Report ID

The ID of the report associated with this event.

Salesforce uses a 15-character ID for the Classic experience and an 18-character ID for the Lightning experience.

Does not apply to ad hoc reports.

Field name mapping and definitions