Organizations - Endpoint Data Collection reference
Updated
Overview
The Endpoint Data Collection settings identify the exfiltration vectors monitored for risky activity. Incydr automatically collects all metadata associated with the files involved in such activity. You can also collect the contents of those files, when available, to provide important context during investigations.
Endpoint Data Collection settings
To view an organization's endpoint data collection settings:
Click the Endpoint Data Collection tab. If there's no Endpoint Data Collection tab in your environment, select the Insider Risk tab and go to the Endpoint data collection section.
Incydr displays data for users in all organizations Visibility of activity captured by Incydr is not limited by your Incydr organization hierarchy.
Incydr organizations only control endpoint settings related to file preservation (backup), agent deployment, and identity management. Users with roles that allow access to Incydr features (such as dashboards, Alerts, and Forensic Search) can view insider risk data for users in all organizations.
Item
Description
a
Collect file metadata
Identifies the vectors monitored for file exfiltration. All vectors are enabled by default. If you need to disable a vector, contact our Technical Support Engineers.
Removable media
Scanning all removable media (such as USB drives or SD cards) for file metadata.
Cloud sync applications
Detection of files that are synced to cloud storage using these apps installed on the endpoint:
Box
Box Drive (Mac only)
Dropbox
Google Drive for Desktop
iCloud
OneDrive Incydr watches a personal OneDrive account and up to two OneDrive for Business accounts on each device
Browser and other application activity
Detection of files accessed by web browsers and other applications (for example, uploading attachments to web-based email or downloading files via FTP).
This may also include other instances of apps accessing a file, such as opening a local file to view it in a web browser without actually uploading it.
Incydr requires macOS permissions to detect file upload destinations To detect Browser and other Application Activity, you must take action to grant Incydr permission on Mac devices to detect the window title and URL active at the time a file is uploaded. For details, follow the steps in macOS permissions for the insider risk agent.
Printers
Detects files sent to printers and captures an image of the printed file.
All Mac and Linux agents are supported. Windows has early access support for devices with insider risk agent version 1.8.0 and later.
b
Collect exfiltrated data
Collect exfiltrated file contents
Defines if the contents of the file itself are collected when a file is exfiltrated.
Enabled: Contents of exfiltrated files are collected and accessible in the file event details. File contents are retained for the Event data retention period specified in your product plan. To use content inspection, Collect exfiltrated file contents must be enabled.
Disabled: Contents of exfiltrated files are not collected. Disabling this setting can help meet compliance requirements by not collecting file contents in organizations where users handle especially sensitive information. However, even when exfiltrated file contents are not collected, file metadata is still captured for all exfiltration vectors enabled above.
Collect exfiltrated paste contents
Requires insider risk agent version 2.6.0 or later
Defines if the pasted contents are collected when pasted to an untrusted destination.
Enabled: Content pasted to untrusted destinations is collected and accessible in the paste event details. Paste contents are retained for the Event data retention period specified in your product plan.
Disabled: Content pasted to untrusted destinations is not collected. Disabling this setting can help meet compliance requirements by not collecting especially sensitive information. However, even when pasted contents are not collected, destination and other metadata is still captured for the paste activity.
c
Edit
Click to update the Collect exfiltrated file contents settings.
When the panel opens:
If applicable, use the slider to identify whether the organization inherits these settings from its parent organization. This slider configures the organization to take on the security settings of the organization defaults (for top-level or system-wide organizations) or its parent organization. When enabled, settings must be edited at the top-level organization default or parent organization level. This slider is not available for the top-level organization.
Comments
Please sign in to leave a comment.