Overview
This article describes data model changes to Incydr file event metadata introduced on June 13, 2022. Most changes are minor and do not require you to take any action.
Changes include:
- Reorganized file event details display order to better highlight insider risk indicators.
- Addition of several new fields to better focus on details of a specific event.
- Removal of outdated, duplicate, and ambiguous/extraneous fields.
- A new
/v2/file-eventsAPI endpoint, which uses a hierarchical structure with parent objects for each field. - Improved clarity on source and destination fields.
See below for the complete list of changes.
v1/file-events API end-of-life
In June 2022, the /v1/file-events API was updated to /v2/file-events. The v1 API will reach end-of-life and stop functioning on February 28, 2026. To prevent service interruptions, you must update your integrations and scripts to use the /v2/file-events API before February 28, 2026. See below for more details.
Summary of changes
- Introduced several new fields. Some provide metadata not captured previously (such as Event ID and Operating system), and some contain values previously included in other fields. See the Additions section below for complete details.
- Removed and consolidated fields. A number of fields were removed or consolidated to streamline and improve clarity of the file event metadata. See the Removals section below for complete details.
- All fields are now grouped under parent categories. This results in improved organization of the Forensic Search filter options and the file event metadata details throughout the Incydr console. See the File event metadata reference for complete details.
- The file-events endpoint incremented from
/v1/file-eventsto/v2/file-events.- The
/v1/file-eventsendpoint did not change and will continue to return the same data. However, new feature development and other improvements will be focused on the/v2/file-eventsendpoint. - No immediate changes are required if you use the
/v1/file-eventsendpoint in scripts or integrations. However, it will eventually be deprecated in a future release.
- The
- The new data model groups all fields under parent categories. The
/v2/file-eventsendpoint field names reflect this new structure. For example,removableMediaNameis nowdestination.removableMedia.name. See the field mapping details below for a complete list of changes.
- Most Saved searches were automatically updated to use the new search filters and values. However, you should double-check your saved searches to make sure they are still returning expected results. Some searches that used the Exposure type filter may require you to manually adjust the search criteria to return the expected results.
- If you used a web browser to bookmark a search in Forensic Search, the bookmarked link no longer works. You can recreate the search and make a new bookmark, or create a saved search for future searches you plan to use regularly.
Additions
The following fields and search filters were added to the Code42 console and the /v2/file-events API endpoint.
| Code42 console user interface | JSON/Code42 API field name | Description |
|---|---|---|
| Event action | event.action | Contains values previously included in the Exposure Type and Event Type fields. |
| Event ID | event.id | Provides a unique identifier for the event. Event ID is now visible in Forensic Search and file event details in the Code42 console. Previously, it was only accessible via the Code42 API. |
| Operating System | source.operatingSystem destination.operatingSystem |
Indicates the operating system of the device associated with the file event. The new field was added to both the Source and Destination categories. |
| Share type | event.shareType | Indicates the sharing permissions for an event. This replaces/consolidates values previously included in the File exposure change to and Exposure Type fields. |
| Source Name | source.name | Contains values previously included in the Hostname (endpoint events) and Source name (download events) fields. |
Removals
The following fields and search filters were removed from the Code42 console and the /v2/file-events API endpoint.
| Code42 console user interface | JSON/Code42 API field name | Notes |
|---|---|---|
| Actor | actor | Consolidated into Username (user.email). |
| Event type | eventType | Consolidated into Event Action (event.action). |
| Exposure Type | exposure |
Removed the Exposure Type field and search filter. All Exposure Type values still exist, but they have been moved to new filters. See the Exposure Type alternatives section below for details about the new equivalents. |
| MD5 hash SHA256 hash Error reasons appeared in these fields in place of the actual hash value |
fieldErrors | Replaced by error fields specific to where the error applies. For example: file.hash.md5Error, file.hash.sha256Error, destination.tabs.urlError
|
| Remote Activity | remoteActivity | This true/false field has been replaced by the Risk indicator value Remote activity. |
| Risk Indicators - Off hours | outsideActiveHours | This true/false field has been replaced by the Risk indicator value Off hours. |
| Shared | shared |
Removed the Shared field and search filter because it returned a static attribute of the file, which did not always apply to the file activity that generated a specific event. As such, it was not an accurate risk indicator for individual events.
Use the new Event > Share type filter instead ( |
| Shared With Users | sharedWith |
Removed the Shared With Users field and search filter because it returned a static list of all users the file had ever been shared with, which did not always apply to the file activity that generated a specific event. As such, it was not an accurate risk indicator for individual events.
Use the Destination > User filter instead, which lists the users the file is shared with for each specific event. |
| Suspicious File Type Mismatch | mimeTypeMismatch | This true/false field has been replaced by the Risk indicator value File mismatch. |
| Sync destination | syncDestination | Consolidated into Destination > Name (destination.name). |
| Email DLP Policy Names | emailDlpPolicyNames |
No longer in use. Deprecated September 2021. |
| API only. Not visible in the Code42 console. | windowTitle |
Deprecated February 2021 and replaced by
In the |
| API only. Not visible in the Code42 console. | tabURL | Deprecated February 2021 and replaced by tabURLs
in the
In the |
| API only. Not visible in the Code42 console. | fileType | Indicated if the event was for a file or a folder (directory). Incydr only reports events for files (not folders), so this field was not necessary. |
| API only. Not visible in the Code42 console. | detectionSourceAlias |
Indicated the name you provided when the cloud data connection was initially configured in the Code42 console. Use |
Exposure Type alternatives
The Exposure Type filter was removed and has been replaced with more specific insider risk indicator options.
| Exposure Type value (removed) | New equivalent |
|---|---|
| Synced to cloud service | Risk indicator = [cloud storage name] upload. For example: Dropbox upload |
| Activity on removable media | Risk indicator = Removable media |
| Read by browser or other app | Event action = Browser or app read |
| Public via direct link | Share type = Anyone with the link |
| Share with corporate domain | Share type = Anyone in your organization |
| Outside trusted domain | Share type = Shared with specific people |
Complete field mapping details for the the v2/file-events API
This table lists every file event metadata field and shows how it was affected by the data model changes.
- All JSON/API field names changed to reflect the parent category data structure.
- Most Code42 console labels remain the same.
- Some fields included in the Code42 API are not included in the Code42 console interface. Those fields are marked with -- below.
| Old Code42 console label | New Code42 console label | Old JSON/Code42 API field name | New JSON/Code42 API field name | Notes |
|---|---|---|---|---|
| Date observed | Date observed | eventTimestamp | @timestamp | |
| -- | Event ID | eventId | event.id | |
| -- | -- | insertionTimestamp | event.inserted | |
| Exposure type Event type |
Event Action | exposure, eventType | event.action | New field. Consolidates values previously included in the Exposure type ( exposure) and Event type (eventType) fields. |
| -- | Share type | -- | event.shareType | New field. Consolidates values previously included in the Exposure type ( exposure) and File exposure changed to (sharingTypeAdded) fields. |
| Event observer | Event observer | source | event.observer | |
| Username | Username | deviceUserName, actor | user.email | |
| -- | User ID | userUid | user.id | |
| -- | -- | deviceUid | user.deviceUid | |
| File name | File name | fileName | file.name | |
| File path | File path | filePath | file.directory | |
| File category | File category | fileCategory | file.category | |
| -- | -- | mimeTypeByBytes | file.mimeTypeByBytes | |
| -- | -- | fileCategoryByBytes | file.categoryByBytes | |
| -- | -- | mimeTypeByExtension | file.mimeTypeByExtension | |
| -- | -- | fileCategoryByExtension | file.categoryByExtension | |
| File size | File size | fileSize | file.sizeInBytes | |
| File owner | File owner | fileOwner | file.owner | |
| File created | File created | createTimestamp | file.created | |
| File modified | File modified | modifyTimestamp | file.modified | |
| MD5 hash | MD5 hash | md5Checksum | file.hash.md5 | |
| SHA256 hash | SHA256 hash | sha256Checksum | file.hash.sha256 | |
| -- | -- | fileId | file.id | |
| -- | -- | url | file.url | |
| Directory ID | Directory ID | directoryId | file.directoryId | |
| -- | -- | cloudDriveId | file.cloudDriveId | |
| File classification | File classification | fileClassifications | file.classifications | |
| Report ID | Report ID | reportId | report.id | |
| Report name | Report name | reportName | report.name | |
| Report description | Report description | reportDescription | report.description | |
| Report column headers | Report column headers | reportColumnHeaders | report.headers | |
| Number of rows | Number of rows | reportRecordCount | report.count | |
| Report type | Report type | reportType | report.type | |
| Source Category | Source Category | sourceCategory | source.category | |
|
Source Name Hostname |
Source Name |
sourceName osHostName |
source.name | New field combining the previous Hostname /osHostName (for endpoint events) and Source Name / sourceName of the original location of a file download (for cloud events). |
| Fully qualified domain name | Domain | domainName | source.domain | Renamed to more clearly distinguish between source and destination values. |
| IP address (public) | IP address (public) | publicIpAddress | source.ip | Renamed to more clearly distinguish between source and destination values. |
| IP address (private) | IP address (private) | privateIpAddresses | source.privateIp | Renamed to more clearly distinguish between source and destination values. |
| -- | Operating System | -- | source.operatingSystem | New field. Indicates the operating system of the device associated with the file event. |
| Sender | Email sender | emailSender | source.email.sender | |
| From | Email from | emailFrom | source.email.from | |
| Vendor name | Removable media vendor name | removableMediaVendor | source.removableMedia.vendor |
Renamed to more clearly distinguish between source and destination values. |
| Device name | Removable media device name | removableMediaName | source.removableMedia.name | Renamed to more clearly distinguish between source and destination values. |
| Serial number | Removable media serial number | removableMediaSerialNumber | source.removableMedia.serialNumber | Renamed to more clearly distinguish between source and destination values. |
| Capacity | Removable media capacity | removableMediaCapacity | source.removableMedia.capacity | Renamed to more clearly distinguish between source and destination values. |
| Bus type | Removable media bus type | removableMediaBusType | source.removableMedia.busType | Renamed to more clearly distinguish between source and destination values. |
| Device media name | Removable media device media name | removableMediaMediaName | source.removableMedia.mediaName | Renamed to more clearly distinguish between source and destination values. |
| Device volume name | Removable media device volume name | removableMediaVolumeName | source.removableMedia.volumeName | Renamed to more clearly distinguish between source and destination values. |
| Device partition ID | Removable media device partition ID | removableMediaPartitionId | source.removableMedia.partitionId | Renamed to more clearly distinguish between source and destination values. |
| Active tab titles and URLs | Active tab titles and URLs | tabs.title | source.tabs.title | |
| Error reason | Error reason | tabs.titleError | source.tabs.titleError | |
| Active tab titles and URLs | Active tab titles and URLs | tabs.url | source.tabs.url | |
| Error reason | Error reason | tabs.urlError | source.tabs.urlError | |
| Destination category | Destination category | destinationCategory | destination.category | |
| Destination name | Destination name | destinationName | destination.name | |
| Sync username, Shared with users | User | operatingSystemUser, syncDestinationUser |
destination.user.email | New field. Consolidates values previously included in the Sync username ( operatingSystemUser) and Shared with users (syncDestinationUser) fields. |
| IP address (public) | IP address (public) | publicIpAddress | destination.ip | Renamed to more clearly distinguish between source and destination values. |
| IP address (private) | IP address (private) | privateIpAddresses | destination.privateIp | Renamed to more clearly distinguish between source and destination values. |
| -- | Operating System | -- | destination.operatingSystem | New field. Indicates the operating system of the device associated with the file event. |
| Print job name | Print job name | printJobName | destination.printJobName | |
| Printer name | Printer name | printerName | destination.printerName | |
| -- | -- | printedFilesBackupPath | destination.printedFilesBackupPath | |
| Vendor name | Removable media vendor name | removableMediaVendor | destination.removableMedia.vendor | Renamed to more clearly distinguish between source and destination values. |
| Device name | Removable media device name | removableMediaName | destination.removableMedia.name | Renamed to more clearly distinguish between source and destination values. |
| Serial number | Removable media serial number | removableMediaSerialNumber | destination.removableMedia.serialNumber | Renamed to more clearly distinguish between source and destination values. |
| Capacity | Removable media capacity | removableMediaCapacity | destination.removableMedia.capacity | Renamed to more clearly distinguish between source and destination values. |
| Bus type | Removable media bus type | removableMediaBusType | destination.removableMedia.busType | Renamed to more clearly distinguish between source and destination values. |
| Device media name | Removable media device media name | removableMediaMediaName | destination.removableMedia.mediaName | Renamed to more clearly distinguish between source and destination values. |
| Device volume name | Removable media device volume name | removableMediaVolumeName | destination.removableMedia.volumeName | Renamed to more clearly distinguish between source and destination values. |
| Device partition ID | Removable media device partition ID | removableMediaPartitionId | destination.removableMedia.partitionId | Renamed to more clearly distinguish between source and destination values. |
| Recipients | Email recipients | emailRecipients | destination.email.recipients | |
| Subject | Email subject | emailSubject | destination.email.subject | |
| Active tab titles and URLs | Active tab titles and URLs | tabs.title | destination.tabs.title | |
| Error reason | Error reason | tabs.titleError | destination.tabs.titleError | |
| Active tab titles and URLs | Active tab titles and URLs | tabs.url | destination.tabs.url | |
| Error reason | Error reason | tabs.urlError | destination.tabs.urlError | |
| Executable name | Executable name | processName | process.executable | |
| Process user | Process user | processOwner | process.owner | |
| Risk score | Risk score | riskScore | risk.score | |
| Risk severity | Risk severity | riskSeverity | risk.severity | |
| Risk indicator | Risk indicator | riskIndicators.name | risk.indicators.name | |
| Risk indicator | Risk indicator | riskIndicators.weight | risk.indicators.weight | |
| Trusted activity | Trusted activity | trusted | risk.trusted | |
| Trusted activity | Trusted activity | trustReason | risk.trustReason | |
| -- | -- | windowTitle | -- |
Removed. |
| -- | -- | tabURL | -- | Removed. This field is no longer in use. This data is now included in destination.tabs.url and source.tabs.url. |
| Exposure Type | -- | exposure | -- |
Removed. |
| Sync Destination | -- | syncDestination | -- | Removed. Consolidated into Destination name ( destination.name). |
| Sync Username | -- | syncDestinationUsername | -- | Removed. Consolidated into User ( destination.user.email). |
| Actor | -- | actor | -- | Removed. Consolidated into Username ( user.email). |
| Event type | -- | eventType | -- |
Removed. |
| -- | -- | fieldErrors | -- |
Removed. |
| -- | -- | fileType | -- |
Removed. |
| -- | -- | detectionSourceAlias | -- |
Removed. |
| Risk Indicators - Off hours | -- | outsideActiveHours | -- | Removed. This true/false field has been replaced by the Risk indicator ( risk.indicators.name) value Off hours. |
| File type mismatch | -- | mimeTypeMismatch | -- | Removed. This true/false field has been replaced by the Risk indicator ( risk.indicators.name) value File mismatch. |
| Remote activity | -- | remoteActivity | -- | Removed. This true/false field has been replaced by the Risk indicator ( risk.indicators.name) value Remote. |
| Hostname | -- | osHostName | -- | Removed. Consolidated into Source name ( source.name). |
| Shared | -- | shared | -- |
Removed. |
| Shared with users | -- | sharedWith | -- |
Removed. |
| -- | -- | emailDlpPolicyNames | -- |
Removed. |
| Source name | -- | sourceName | -- | Removed. Replaced by Source name ( source.name). |
| File exposure changed to | -- | sharingTypeAdded | -- |
Removed. |
Legacy field name mapping and definitions for the v1/file-events API
The table below lists all file event metadata fields and the corresponding labels in the Incydr console user interface (including Forensic Search, Cases, and Alerts), the CSV export, the JSON data, and Common Event Format (CEF).
Click to download the table below as a CSV file.
- Some fields in the JSON are not included in the Incydr console interface or CSV export. Those fields are marked with
--below. - In the JSON data response, fields that do not apply to a specific event return the value
null. - The table below is sorted based on the order in which fields are returned via JSON, which also loosely corresponds to the order of fields in the Forensic Search interface. To apply a custom sort, download the CSV file linked above.
- Depending on your screen size, you may need to scroll horizontally to see all of the columns in the table below.
|
Incydr console user interface |
CSV Export | JSON | CEF | Data Type | Description | Sample value |
|---|---|---|---|---|---|---|
| -- | Event ID | eventId | string | The unique identifier for the event. | 0_c4b5e830-824a-40a3-a6d9-345664cfbb33_941983451917189059_974935592122324249_54 | |
| Event Type | Event type | eventType | string | Indicates the type of file event observed. | MODIFIED | |
| Date Observed | Date Observed (UTC) | eventTimestamp | end | string($date-time) | Date and time that the Code42 service on the device detected an event; based on the device’s system clock and reported in Coordinated Universal Time (UTC). | 2020-10-04T23:34:31.009Z |
| -- | Date inserted (UTC) | insertionTimestamp | rt | string($date-time) | Date and time that the event was received for indexing by Code42; timestamp is based on the Code42 cloud system clock and reported in Coordinated Universal Time (UTC). | 2020-10-04T23:34:31.009Z |
| -- | -- | fieldErrors | string | List fields with errors and the reasons why they could not be determined. | {"field": "md5Checksum", "error": "GDRIVE_NATIVE_HASH"}, {"field": "sha256Checksum", "error": "GDRIVE_NATIVE_HASH"} |
|
| File Path | File path | filePath | filePath | string | The file location on the user’s device; a path forward or backslash should be included at the end of the filepath. Possibly null if the file event occurred on a cloud provider. | C:/Users/ |
| Filename | Filename | fileName | fname | string | The name of the file, including the file extension. | Q1 Forecast.xlsx |
| -- | File type | fileType | string | The type of file detected; only FILE types are searchable. The most common values are:
Under very rare circumstances, it may also be possible to see the following values: UNKNOWN, WIN_NDS (named data stream), MAC_RSRC (Mac resource fork), FIFO (a named pipe), BLOCK_DEVICE, CHAR_DEVICE,SOCKET, BUNDLE |
FILE | |
| File Category | File Category | fileCategory | fileType | string | A categorization of the file that is inferred from the MIME type. | SPREADSHEET |
| -- | Identified Extension Category | fileCategoryByBytes | string | A categorization of the file based on its contents. | Document | |
| -- | Current Extension Category | fileCategoryByExtension | string | A categorization of the file based on its extension. | Document | |
| File Size | File size (bytes) | fileSize | fsize | integer($int64) | Size of the file, in bytes. | 2613250 |
| File Owner | File Owner | fileOwner | string | The name of the user who owns the file, as reported by the device’s file system. | first.last | |
| MD5 Hash | MD5 Hash | md5Checksum | fileHash | string | The MD5 hash of the file contents. | 426b7d71e7ea804086e474fda7f3d6e7 |
| SHA256 Hash | SHA-256 Hash | sha256Checksum | string | The SHA256 hash of the file contents. | f4d2911665f2392fe774d5e64eef5d8313331700b45f333da069507db00944a8 | |
| File Created Date | Create Date | createTimestamp | fileCreateTime | string($date-time) | File creation timestamp as reported by the device’s operating system in Coordinated Universal Time (UTC); available for Mac and Windows NTFS devices only. | 2020-02-10T04:37:56Z |
| File Modified Date | Modified Date | modifyTimestamp | fileModificationTime | string($date-time) | File modification timestamp as reported by the device’s operating system. This only indicates changes to file contents. Changes to file permissions, file owner, or other metadata are not reflected in this timestamp. Date is reported in Coordinated Universal Time (UTC). | 2020-02-10T04:37:56Z |
| Username (Code42) | Username | deviceUserName | suser | string | The Code42 username used to sign in to the Code42 agent on the device. Null if the file event occurred on a cloud provider. | first.last@example.com |
| Hostname | Hostname | osHostName | shost | string | The name reported by the device’s operating system. This may be different than the device name in the Code42 console. | LAPTOP-0001 |
| Fully Qualified Domain Name | Fully Qualified Domain Name | domainName | string | Fully qualified domain name (FQDN) for the user’s device at the time the event is recorded. If the device is unable to resolve the domain name of the host, it reports the IP address of the host. | LAPTOP-0001.example.com | |
| IP Address (public) | IP address (public) | publicIpAddress | src | string | The external IP address of the user’s device. | 192.0.2.0 |
| IP Address (private) | IP address (private) | privateIpAddresses | string | The IP address of the user’s device on your internal network, including Network interfaces, Virtual Network Interface controllers (NICs), and Loopback/non-routable addresses. | ["192.0.4.0", "0:0:0:0:0:0:0:1"] | |
| -- | -- | deviceUid | string | Unique identifier for the device. Null if the file event occurred on a cloud provider. | 421983451917189059 | |
| -- | User UID | userUid | suid | string | Unique identifier for the user of the Code42 agent on the device. Null if the file event occurred on a cloud provider. | 429428473202283166 |
| Actor | Actor | actor | string | Name of the user reported by the cloud provider for the user who performed this file activity. | first.last | |
| Directory ID | Directory ID | directoryId | string | Unique identifier of the parent drive that contain the file; searching on directoryId will return events for all of the files contained in the parent drive. | 42BwMEK7Bcbq2MqnIkwFBOLCXhzLQYdLM | |
| Source | Source | source | string | Data source for a file event. | Endpoint | |
| -- | URL | url | string | URL reported by the cloud provider at the time the event occurred. | https://drive.google.com/drive/folders/42_HMsEj0GIvFO0_nLw_ZTcrw6z | |
| Shared | Shared | shared | string | Indicates the shared status as reported by the cloud provider at the time the event occurred. A shared file indicates that one or more users have been granted explicit access to the file. It does not capture whether or not a link to the file has been shared. | TRUE | |
| Shared With Users | Shared With Users | sharedWith | string | A list of users who have been granted explicit rights to the file at the time the event occurred. | first.last@example.com | |
| File exposure changed to | File exposure changed to | sharingTypeAdded | string | Public sharing types that were added by this event. | Public via direct link | |
| -- | Cloud drive ID | cloudDriveId | string | Unique identifier reported by the cloud provider for the drive containing the file at the time the event occurred. | 42BwMEK7Bcbq2MqnIkwFBOLCXhzLQYdLM | |
| -- | Detection Source Alias | detectionSourceAlias | string | Name provided by your Customer Cloud Administrator when the cloud data connection was initially configured in the Code42 console. | Google Drive US | |
| -- | -- | fileId | string | Unique identifier reported by the cloud provider for the file associated with the event. | 423156543288 | |
| Exposure Type | Exposure Type | exposure | reason | string | The type of exposure risk. For example, file activity on removable media or files shared outside your list of trusted domains. | RemovableMedia |
| Process User | Process Owner | processOwner | spriv | string |
For events generated when a file is read in a browser or other app, indicates the operating system owner for the process.
Depending on your Code42 product plan, this value may be null for some event types. |
first.last |
| Executable Name (Browser or Other App) | Process Name | processName | sproc | string |
For events generated when a file is read in a browser or other app, indicates the specific operating system process.
Depending on your Code42 product plan, this value may be null for some event types. |
\Program Files\Google\Chrome\Application\chrome.exe |
| Destination: Active tab titles and URLs | Tab Titles | tabTitles | string |
For events generated when a file is read in a browser or other app, the tab or window title(s) that had activity at the time of the event.
If the user accessed more than one tab while uploads were in progress, all tab titles visited during the upload are listed.
In the Code42 console user interface, the tab title and tab URL are combined into the single Active tab titles and URLs field. |
Marketing Assets - Google Drive - Google Chrome | |
| Destination: Active tab titles and URLs | Tab Title Errors | titleError | string |
For events generated when a file is read in a browser or other app, specifies a reason if the tab title is unavailable.
In the Code42 console user interface, the error message appears in the Active tab titles and URLs field. |
Metadata not supported for custom applications | |
| Destination: Active tab titles and URLs | Tab URLs | tabURLs | string |
For events generated when a file is read in a browser or other app, the URL that had activity at the time of the event.
If the user accessed more than one tab while uploads were in progress, all URLs visited during the upload are listed.
In the Code42 console user interface, the tab title and tab URL are combined into the single Active tab titles and URLs field. |
https://drive.google.com/drive/folders/42n7XSBQIfJ-a9B4Egv0GONOeC2EIVRbr | |
| Destination: Active tab titles and URLs | Tab URL Errors | urlError | string |
For events generated when a file is read in a browser or other app, specifies a reason if the tab URL is unavailable.
In the Code42 console user interface, the error message appears in the Active tab titles and URLs field. |
Metadata not supported for custom applications | |
| Source: Active tab titles and URLs | Source Tab URLs | sourceTabs.url | string |
For events generated when a file is downloaded via a browser or other app, the URL that had activity at the time of the event. This information helps determine the source of a downloaded file.
If the user accessed more than one tab while downloads were in progress, all URLs visited during the download are listed.
In the Code42 console user interface, the tab title and tab URL are combined into the single Active tab titles and URLs field. |
https://drive.google.com/drive/folde...0GONOeC2EIVRbr | |
| Source: Active tab titles and URLs | Source Tab URL Errors | sourceTabs.urlError | string | For events generated when a file is read in a browser or other app, specifies a reason if the tab URL is unavailable. In the Code42 console user interface, the error message appears in the Active tab titles and URLs field. |
Permissions not set | |
| Source: Active tab titles and URLs | Source Tab Titles | sourceTabs.title | string |
For events generated when a file is downloaded via a browser or other app, the tab or window title(s) that had activity at the time of the event. This information helps determine the source of a downloaded file.
If the user accessed more than one tab while downloads were in progress, all tab titles visited during the download are listed.
In the Code42 console user interface, the tab title and tab URL are combined into the single Active tab titles and URLs field. |
Marketing Assets - Google Drive - Google Chrome | |
| Source: Active tab titles and URLs | Source Tab Title Errors | sourceTabs.titleError | string |
For events generated when a file is read in a browser or other app, specifies a reason if the tab title is unavailable.
In the Code42 console user interface, the error message appears in the Active tab titles and URLs field. |
Permissions not set | |
| Tab/Window Title (Browser or Other App) | Tab/Window Title | windowTitle | string |
For events generated when a file is read in a browser or other app, the tab or window title(s) that had activity at the time of the event.
Deprecated February 2021. Use |
Marketing Assets - Google Drive - Google Chrome | |
| Tab URL (Browser) | Tab URL | tabUrl | request | string |
For events generated when a file is read in a browser or other app, the URL that had activity at the time of the event.
Deprecated February 2021. Use |
https://drive.google.com/drive/folders/42n7XSBQIfJ-a9B4Egv0GONOeC2EIVRbr |
| Device Vendor (Removable Media) | Removable Media Vendor | removableMediaVendor | string | For events detected on removable media, indicates the vendor of the removable device. | SanDisk | |
| Device Name (Removable Media) | Removable Media Name | removableMediaName | string | For events detected on removable media, indicates the name of the removable device. | Ultra USB 3.0 | |
| Device Serial Number (Removable Media) | Removable Media Serial Number | removableMediaSerialNumber | string | For events detected on removable media, indicates the serial number of the removable device. | 42B2796EF73C48D0AA7768CB0E684842 | |
| Device Capacity (Removable Media) | Removable Media Capacity | removableMediaCapacity | integer($int64) | For events detected on removable media, indicates the capacity of the removable device in bytes. | 34359738368 | |
| Device Bus Type (Removable Media) | Removable Media Bus Type | removableMediaBusType | string | For events detected on removable media, indicates the connection used to transfer data between the host and the removable device. For example: USB, eSATA, Thunderbird. | USB | |
| Device Media Name (Removable Media) | Removable Media Media Name | removableMediaMediaName | string | For events detected on removable media, the media name of the device, as reported by the vendor/device. This name can vary based on the type of device. For example, if the device is a hard drive in a USB enclosure, the name may be the combination of the drive model and the enclosure model. This value is not provided by all devices, so it may be null in some cases. | SanDisk Ultra USB 3.0 Media | |
| Device Volume Name (Removable Media) | Removable Media Volume Name | removableMediaVolumeName | string | For events detected on removable media, the name assigned to the volume when it was formatted, as reported by the device’s operating system. This is also frequently called the “partition” name. | Example Volume | |
| Device Partition ID (Removable Media) | Removable Media Partition Id | removableMediaPartitionId | string | For events detected on removable media, a unique identifier assigned to the volume/partition when it was formatted. Windows devices refer to this as the VolumeGuid. On Mac devices, this is the Disk / Partition UUID, which appears when running the Terminal command diskUtil info. |
00000001-0000-0000-0000-000000000000 | |
| Report column headers | Report Column Headers | reportColumnHeaders | string |
List of all column headers in the report.
|
USERNAME ACCOUNT_NAME TYPE DUE_DATE LAST_UPDATE ADDRESS1_STATE |
|
| Report description | Report Description | reportDescription | string |
The description of the report. Does not apply to ad hoc reports. Applies to reports from 3rd party sources, such as Salesforce. |
Top 20 accounts based on annual revenue | |
| Report ID | Report ID | reportId | string |
The ID of the report associated with this event.
Salesforce uses a 15-character ID for the Classic experience and an 18-character ID for the Lightning experience.
Does not apply to ad hoc reports.
Applies to reports from 3rd party sources, such as Salesforce. |
00OB00000042FHdMAM | |
| Report name | Report Name | reportName | string |
The display name of the report.
Applies to reports from 3rd party sources, such as Salesforce. |
Top Accounts Report | |
| Number of rows | Report Record Count | reportRecordCount | integer |
The total number of rows returned in the report.
Applies to reports from 3rd party sources, such as Salesforce. |
36 | |
| Report type | Report Type | reportType | string |
Indicates if the report is Ad-hoc or Saved:
Applies to reports from 3rd party sources, such as Salesforce. |
Saved | |
| Sync Destination (Cloud) | Sync Destination | syncDestination | destinationServiceName | string | For events detected within a cloud storage sync destination on a device, the cloud storage vendor. | Dropbox |
| Sync Username (Cloud) | Sync Destination Username | syncDestinationUserName | string | For events detected within a cloud storage sync destination on a device, indicates the username logged into the cloud storage provider when the file activity was observed. | first.last@example.com | |
| Email DLP Policy Names | Email DLP Policy Names | emailDlpPolicyNames | string |
The name of the data loss prevention (DLP) policy that detected this file, as defined in your Microsoft Office 365 Security & Compliance Center.
If the attachment is detected by more than one policy, only one policy is listed.
Deprecated September 2021. |
Sensitive Information (IP) | |
| Subject | Email Subject | emailSubject | string | The subject of the email. | FWD: Confidential analysis | |
| Sender | Email Sender | emailSender | string | The address of the entity responsible for transmitting the message. In many cases, this is the same as From, but it can be different if the message is sent by a server or other mail agent on behalf of someone else. | first.last@example.com | |
| From | Email From | emailFrom | string | The display name of the sender, as it appears in the "From" field in the email. In many cases, this is the same as Sender, but it can be different if the message is sent by a server or other mail agent on behalf of someone else. | first.last@example.com | |
| Recipients | Email Recipients | emailRecipients | string | The email addresses of those who received the email. Includes the To, Cc, and Bcc recipients. | first.last@example.com | |
| Risk Indicators - Off hours | Outside Active Hours | outsideActiveHours | boolean | Indicates whether or not this event occurred outside of the user’s typical active hours using data modeling from the this user’s prior activity. | FALSE | |
| -- | Identified Extension MIME Type | mimeTypeByBytes | string | The MIME type of the file based on its contents. | text/plain | |
| -- | Current Extension MIME Type | mimeTypeByExtension | string | The MIME type of the file based on its extension. | text/x-sql | |
| -- | Suspicious File Type Mismatch | mimeTypeMismatch | boolean | Indicates whether or not the MIME type of the file based on its contents conflicts with the MIME type based on its extension. | FALSE | |
| Print Job Name | Print Job Name | printJobName | string | For print events, the name of the print job, as reported by the user’s device. | ipp://localhost/printers/DeskJet_4200_series | |
| Printer Name | Printer Name | printerName | string | For print events, the name of the printer the job was sent to. | Microsoft Word - Resume.doc | |
| -- | -- | printedFilesBackupPath | string | For print events, the path on disk where Code42 stores printer cache files. | /Sample/Path/d42001_6d45b6d4-a2cd-4c93-9986-29cf23916921/ zURJNo5.txt.octet-stream | |
| Remote Activity | Remote Activity | remoteActivity | string |
For endpoint events, compares the IP address of the file event to your defined list of addresses in the Data Preferences > IP addresses section of the Code42 console.
|
TRUE | |
| Trusted activity | Trust Reason | trustReason | string |
Explanation of why the event is trusted.
In the Code42 console user interface, the Trusted and Trust Reason values are combined in the Trusted activity field (for example: "True - Trusted browser URL"). |
Trusted browser URL | |
| Trusted activity | Trusted | trusted | boolean | Indicates whether or not the file activity occurred on your list of trusted domains. | FALSE | |
| Username (signed in to device) | Logged in Operating System User | operatingSystemUser | string | The username logged in to the device when the file activity was observed, as reported by the device’s operating system. | first.last | |
| Destination Category | Destination Category | destinationCategory | string | General category of where data was sent for a file exposure event. For example: Cloud Storage, Email, Social Media. | Cloud Storage | |
| Destination Name | Destination Name | destinationName | string | Specific target of where data was sent for a file exposure event. For example: Google Drive, Outlook, Slack. | Dropbox | |
| Risk score | Risk Score | riskScore | integer($int32) | The sum of the scores for all risk indicators associated with this event. Higher scores denote higher risk severity. | 8 | |
| Risk severity | Risk Severity | riskSeverity | string |
The file event's overall risk severity, based on the following scoring ranges:
|
Critical | |
| Risk indicators | Risk Indicator Names Risk Indicator Weights |
riskIndicators name weight
|
name: string weight: integer($int32) |
List of risk indicator names and scores for this event.
|
Code42 console user interface Off hours (+1), Google Drive upload (+5), Zip (+8)
CSV export
JSON "riskIndicators": [ { "name": "Google Drive upload", "name": "Zip", "weight": 8 } ] |
Comments
Please sign in to leave a comment.