To build a new alert rule, you add settings that identify the file activity that your organization has deemed the most risky, and then select options from those settings that best match what you want to monitor. You can mix and match settings as needed to build rules that best fit your organization's needs and environments.
Alert rule settings
Alert rule settings give you simple, criteria-based building blocks from which you can create a rule. These settings group similar options that define activity your organization has identified as having the most risk of loss. This flexibility helps you build powerful alerts that notify you about activity that needs investigation while filtering out normal, expected activity to reduce noise. The result is targeted, meaningful alerts that you can act on.
To view and select alert rule settings when building a rule:
- Select Alerts > Manage Rules.
- Click Create rule.
- Click a setting name to add those settings to your rule, then select the options that match the activity you want to be alerted about and click Save.
That setting is added to the rule with the options you selected.
- Click Add setting to add another setting to the rule and select its options.
You can mix and match settings as needed to target specific activity.
- Save your new rule.
- When you finish adding settings, click Next to name the new rule, add a description, select its severity, and identify the users you want to be notified about the activity this rule monitors.
- Click Save to save your completed rule.
Filename or extension
Alerts you when activity is detected for files with specific filenames or extensions.
Enter the filenames (or filename components) you want to monitor and be alerted about. To monitor several different filenames and extensions, enter each on a separate line (to a maximum of 100 lines). Code42 alerts you when exfiltration activity involving a file that matches this criteria is detected.
You can use wildcards along with specific words or characters to define filename components:
- Use the * wildcard character to replace partial strings in the filename. For example, enter expenses* to monitor any filename beginning with the phrase "expenses," such as "expenses.xls," "expenses.doc," or "expenses to review.txt."
You can also use the * wildcard to watch filenames ending in specific extensions. For example, enter *.cpp to monitor activity for any C++ file.
Use the ? wildcard character to replace a single character in the filename. For example, enter Q? Financials 202?.xls to monitor filenames such as "Q3 Financials 2020.xls," or "Q1 Financials 2021.xls."
Code42 automatically trims entries to remove any leading or trailing spaces at the beginning or ending of the filenames you enter. To monitor filenames that begin or end with a space, use the ? wildcard character to replace that space. For example, enter Roadmap?.*< to monitor filenames such as "Roadmap␣.ppt" or "Roadmap␣.vsd." Likewise, enter ?Roadmap.doc to monitor files named "␣Roadmap.doc."
Code42 does not evaluate any capitalization used in filenames or file extensions. Only the characters in the filename or extension must match the criteria exactly. However, Code42 displays the filename or extension criteria exactly as it was entered (including any capitalization) when the rule was created.
Similar to the Filename or extension settings, the File categories settings alert you when exfiltration activity is detected for any file matching the categories you select. A key difference: selecting a category monitors for all the file types and extensions included in that category, including others that are not listed.
File categories are managed by Code42 and cannot be edited or updated. However, the examples listed for each file category are not exhaustive. Each category contains many more file types. Keep in mind that file extensions are not the only method Code42 uses to identify a file's category.
File extension mismatch
There is no criteria to select or enter for this rule setting. Select it when you want to be alerted about files with extensions that don't appear to match their contents.
This highlights files with extensions that do not match the file contents, particularly when a high-value file is given a low-value extension. Detection focuses on high-risk file mismatches that may indicate a file was renamed, downloaded, or shared with an unexpected extension. For example:
- A ZIP file with a JPG extension is considered a file mismatch.
- A TXT file with a DOC extension is not considered a file mismatch because these are both high-value file extensions.
- A PNG file with a JPG extension is not considered a file mismatch because these file types are closely related.
Code42 analyzes files for mismatches when it detects activity involving the file, such as when it is moved to removable media or cloud sync folders, read by a browser or app, or shared publicly via direct link or with specific users outside your trusted domains. Code42 does not actively scan or monitor files for mismatches outside of those actions.
Not all mismatches are considered risky. The following types of mismatches do not trigger alerts or get a file mismatch risk indicator:
- Files where Code42 cannot read the file header and determine the true file type. This occurs when the file's media type (formerly, mimeType) doesn't have magic number support.
- Files that have two high-value file extensions, such as a TXT file renamed to have a DOC extension.
- Files with closely related file types and file extensions. For example, the file’s contents indicate that it is a PNG file, but the file has a GIF extension.
- Mismatches generated by software applications to control the application used to open the file. For example, SalesForce may change the extension of a CSV file so that it opens within that application.
- Files that generally don’t have extensions, such as application or system files.
To better highlight risky file events or possible exposure, only high-risk mismatches for files that were involved in exfiltration activity trigger the alert rule. However, you can find all known file mismatches in Forensic Search.
Alerts you when activity is detected for files totaling a cumulative count or file size. Use these settings to reduce noise so that you are alerted only after activity reaches certain thresholds of total number or size of files involved.
By default, Code42 monitors for any file activity that occurs, and alerts you when even one file of any size is involved in possible exfiltration activity.
Add this setting to a rule when you want to be notified about activity only when it exceeds the file count and size thresholds you specify. Leave it out of a rule when you want to be notified about any file activity that matches the other rule criteria.
Enter the thresholds to use when monitoring for file activity. If you enter thresholds in both options, select Or to be notified if either value is exceeded, or And to be notified only if both values are exceeded.
- File count greater than: The total number of files moved by a user.
- Total size greater than: The total aggregate size of files moved by a user, measured in bytes, kilobytes (KB), megabites (MB), or gigabites (GB).
After activity matching the rule to which you add this setting is first detected, Code42 alerts you when that activity exceeds these thresholds at any point within the next 15 minutes.
Alerts you about possible exfiltration activity when users:
- Move files to removable media, such as a USB drive, memory card, or external hard drives
- Share files stored in your organization's cloud service environment publicly via a link or with users outside of your trusted domains
- Upload files to personal cloud storage folders, either through folders on their device that sync with cloud storage providers or via a web browser
- Upload file attachments to web-based email services
- Upload files to web-based source code management systems
- Share files using corporate messaging services or on social media platforms
The examples listed for each exfiltration destination are not exhaustive. Each category contains many more exfiltration types. Selecting an exfiltration destination monitors for all file activity occurring in that destination, including others that are not listed.
Likewise, not all exfiltration types have been categorized into common destinations. To monitor file activity occurring in one of these destinations, select Include uncategorized browser and app read events at the bottom of the Destination table.
Allows you to identify specific users to monitor (or exclude from monitoring) by this rule. Select whether you want this rule to include or exclude users, then enter those usernames in a comma-separated list.
For example, your company is involved in a legal proceeding against a former employee, and you want to be notified about any activity involving the brief that is not caused by a member of your legal team. (In other words, your legal team will be causing sanctioned activity as they share the brief among themselves while conducting the investigation. You do not want to be notified about this legitimate activity, but you do want to be notified should anyone else in your organization access or move the brief.) In this situation, you would exclude the members of your legal team from being monitored by the rule. Code42 would then alert you of any activity involving users not on this list.
The following sections detail example use cases for alerts: these are common situations for which a rule could be created. Use them as starting points to help identify the activity that presents the most risk to your organization and to brainstorm the alert rules that could notify you when such activity occurs.
For additional ideas about how to use recommended rules to monitor for risky activity, see Recommended rules reference.
File uploads to Slack
Slack is a powerful tool that enhances employee collaboration and productivity while improving engagement. You can secure Slack's communication channels by creating an alert to detect the movement of important business files while filtering out the image and video sharing that's an important part of your company culture.
- File categories
- Source code
- Virtual disk image
- Messaging: Slack
Customer data exposure
Every organization knows it's vital to secure customer data to preserve legitimacy, partner relationships, and business reputations. You can set up rules that notify you about possible exposure of your customer information so that you can secure this data before it becomes a costly breach.
For example, your company is consulting with Acme Enterprises on a large project, code-named "DarkTunnel." All of your business documents regarding this project either use this code name or the customer's name in their filenames to draw attention and separate them from other project files. So that everyone can access them, files are exchanged using your customer's Box cloud storage. You want to set up a rule to notify you when any file about DarkTunnel is moved to any location other than the approved Box destination.
- Filename or extension: Filename includes any *DarkTunnel*, DarkTunnel*, *Acme*, Acme*, *AE*, AE*
- Destination: All options except Cloud storage > Box
Accidental iCloud uploads
Using their AppleID, employees may be able to log into Apple iCloud on their devices to take advantage of its services, such as updating shared Notes, receiving personal iMessages, or syncing with family calendars. Unfortunately, in doing so it can be easy to automatically start syncing professional files with personal iCloud storage. Set up an alert rule to detect this sort of accidental file syncing so that you can work with employees to resolve it.
- Destination: Cloud storage > iCloud
- File categories
- Source code
- Virtual disk image