Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

HOME
GETTING STARTED
RELEASE NOTES
FAQS
SYSTEM STATUS
Code42 Support

Alerts reference

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Other available versions:

On-premises

Overview

Code42 Alerts let you know when important data may be leaving your company. You can also use Alerts to view or update the different alert rules you have in your Code42 environment that trigger these notifications.

This article is a reference guide with detailed descriptions of each item in Code42's Alerts. For information on creating and configuring security alerts, see Create and manage alerts.

Considerations

  • To work with alerts, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for investigating suspicious file activity.
  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial​​​. If you don't know who your CSM is, email csmsupport@code42.com

  • You must connect at least one cloud service to Code42 to see cloud-related file activity. 

Differences in file event counts
File events for Forensic Search and Alerts appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Review Alerts

Alert notifications appear on the Review Alerts tab when thresholds defined in alert rules are exceeded. 

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you will not be notified by alert rules when file events occur on domains you trust. Go to Settings > Data Preferences to update trusted domains settings as needed. 

To view alert notifications:

  1. Sign in to the Code42 console.
  2. Select Alerts > Review Alerts
    Review Alerts tab of Alerts
Item Description
a Create rule Creates a new rule to alert you when important data may be leaving your company.
b Review Alerts

Displays all of your alerts for the selected filters.

c Manage Rules Displays all of the security alert rules that have been created. For more information, see Manage Rules below.
d Filter Filter icon Filters the Review Alerts list by the criteria you select. For more information, see Filter alerts below.
e Filtered by The filters that are currently applied to the Review Alerts list. Click the X to remove that filter. Remove all filters to view all alerts.
f Select all

Selects all alerts and presents an action button (Dismiss alerts or Reopen alerts). Click the button to perform that action on all selected alerts at once.

 

You cannot add notes when you use select all.

g Column sort Sort column Click the column header to sort results by this column in ascending or descending order. 
h Dismiss Dismiss alert notification or Reopen alert Reopen alert notification

Opens a menu to dismiss or reopen the current alert. You can also choose to add a note to the alert before you dismiss or reopen it.

  • Select Dismiss or Dismiss with note to remove this individual alert from the list of open alerts. This also dismisses the notification for any teammates. To stop all alerts for this specific activity, click Manage Rules and disable the alert rule.
  • Select Reopen or Reopen with note to add this alert back to the list of open alerts on the Review Alerts tab.
i View detail View alert details Click to view alert details for this notification. Includes file event information, file count and size, and file categories involved in the event.
j Default alert indicator Identifies default alerts from the Departing Employees list or High Risk Employees list.

Filter alerts

To filter the alerts listed on Review Alerts, click FilterFilter iconand select the criteria to use. When you click Apply, alerts that match all filters appear in the list.

Any filters that are applied are shown above the Review Alerts list. Click the X on a filter to remove that filter. 

Alert notification filters

Item Description
a Status

Filters the list by status:

  • Open: Alerts that have not yet been investigated.
  • In progress: Alerts for which an investigation is underway.
  • Pending response: Alerts for which a response is forthcoming.
  • Dismissed: Alerts that have been closed.
  • Any: Alerts with any of these statuses.
b Date range Filters the list by the selected date range: alerts triggered in the last 24 hours, 7 days, 30 days, or select Custom and enter the start and end dates to use to filter alerts. You can also select All dates to view all alerts that have been triggered.
c Severity Filters the list by severity: High, Medium, Low, or alerts with any severity.
d Username or actor

Filters the list to show only file events associated with a specific Code42 username or cloud alias (actor).

e Rule name Filters the list to show only alerts associated with a specific rule name.
f Rule type Filters the list to show only alerts associated with the selected rule type (Exposure on an endpoint, Cloud share permission changes, or Suspicious file mismatch). You can also view alerts associated with any of these rule types.
g Cancel / Apply Click Apply to apply the selected filter criteria to the list and display only the alerts that match that criteria. To return to the list without applying any filters, click Cancel.

Alert details

For any alert listed on Review Alerts, click View details View alert details to see more information about the alert notification.

Alert details vary depending on the type of activity that triggered the alert. Specific alerts may display different details than those shown in the example below. 

Alert details for the notification

Item Description
a Rule name

The name of the rule that was entered when the rule was created. If the rule is a default alert from the Departing Employees list or High Risk Employees list, the default alert indicator identifies it as such.

 

Click the link to edit the rule that triggered this alert notification.

b Severity The severity of the rule that was selected when the rule was created.
c Description

The description of the rule that was entered when the rule was created.

d Status

The status of the alert: Open, In progress, Pending response, and Dismissed.

 

Statuses provide more context about what's happening with an alert or record specific stages of an investigation into a notification.

 

Code42 automatically saves and displays the user name of the last person to update the alert's status, along with the date and time the status was changed.

e Notes

Any notes that have been entered for the alert.

  • Click Add note to add a note to the alert, then enter the note and click Save.
  • To edit an existing note, click Edit Edit note, then update the note and click Save. You can also delete a note entirely by deleting the note's text and clicking Save. Code42 automatically saves and displays the username of the last person to edit the note, along with the date and time it was edited.
  • The Notes panel displays only a few lines of the note by default. To view long notes, click Expand note. Click Collapse note when you finish to display the rest of the alert details.
f Username or Actor

The Code42 username or the cloud alias associated with the file events that triggered the alert.

 

The View profile link appears when either:

  • A Code42 username is associated with the event
  • The actor's cloud alias is associated with a Code42 username in the User Profile

Click the link to view the User Profile for that user.
This link appears only when allowed by your Code42 product plan and role permissions.

g

IP Address

For Exposure on an endpoint alerts, lists the public IP address involved in the file activity. If the IP address is not collected, this row does not appear.

 

Remote activity highlights file activity by IP addresses that are not listed as an in-network IP address in Administration > Settings > Data Preferences.

h

Exposure Type 

 

Permission Changed To*  

 

Suspicious File Mismatch*

 

 

*Not shown in image

The type of exposure that triggered the alert. 

 

Exposure on an endpoint

Exposure Type lists the type of file activity on an endpoint that triggered the alert. This kind of activity also appears on the Endpoint File Activity dashboard.

  • Read by browser or other app: Files are uploaded by a browser or an app, such as Slack, AirDrop, FTP client, or curl.
  • Activity on removable media: Data is moved to removable media, such as a USB drive.
  • Moved to cloud sync folders: File activity in common cloud sync folders on a user's device exceeds the File size and count thresholds that were selected when the rule was created. When available, the username signed in to the cloud sync application is also listed.

Cloud share permission changes (not shown in image above)

Permission Changed To indicates the change by which a file stored in a cloud service becomes publicly accessible. This kind of activity also appears on the Cloud File Activity dashboard.

  • Public on the web (Google Drive only): The file is available on public search engines and accessible to the entire internet. Users do not need to be signed in to a cloud services account to see the file. The method used to share the file appears in Google Drive as "Public on the Web." 
  • Public via direct link: The file is not listed in public search engines, but is available to anyone who accesses the link. Users do not need to be signed in to a cloud services account to see the file. The method used to share the file appears within the cloud service as follows:
    • Microsoft OneDrive: "Anyone with the link"
    • Google Drive: "Anyone with the link"
    • Box: "People with the link"
  • Shared outside trusted domain: The file has been shared outside of the domains you trust, listed in Administration > Settings > Data Preferences. The domains and email addresses with which the file was shared are listed under Shared with.
Not available in the Code42 federal environment
The cloud share permission changes rule type is not available in the Code42 federal environment

Suspicious file mismatch (not shown in image above)

Suspicious File Mismatch indicates the file's contents and its extension don't match. For example, the file's contents indicate that it is a ZIP file, but it has been renamed to have a JPG extension.

  • Files are only analyzed for mismatches when they are moved to removable media or cloud sync folders, read by a browser or app, made publicly accessible in cloud services, or shared outside of the domains you trust. Code42 does not actively scan files for mismatches; files are only analyzed when activity involving that file is detected.
  • To better highlight risky file events or possible exposure, only mismatches involving high-value files trigger the alert rule. However, you can find all known file mismatches in Forensic Search.
  •  Not all mismatches trigger an alert.
    • Mismatches between closely related file types and file extensions do not trigger the alert. For example, the file's contents indicate that it is a PNG file, but the file has a GIF extension.
    • Mismatches generated by software applications to control the application used to open the file do not trigger an alert. For example, SalesForce may change the extension of a CSV file so that it opens within that application.
    • Mismatches that occur in files where Code42 cannot read the file header and determine the true file type. This occurs when the file's media type (formerly, mimeType) doesn't have magic number support.
    • Files that generally don't have extensions, such as application or system files, do not trigger an alert.
i Time Range of Events

Displays the time period in which the file activity occurred.

  • The time frame starts when the file activity begins. 
  • An alert is sent five minutes after the threshold is exceeded. This five-minute delay reduces alert "noise," since users can move a lot of data in a few quick clicks. For example, you choose a time window of 1 hour when you set up the alert rule. An employee starts moving files at 10:42 a.m. and exceeds the threshold at 10:55 a.m. An alert is sent to you five minutes later at 11:00 a.m. with combined totals for everything that was moved between 10:42 a.m. and 11:00 a.m.

Shared with*

 

*Not shown in image

For Cloud share permission changes alerts, Shared with identifies the domains (such as "example.com") and email addresses (such as "first.lastname@example.com") the file has been shared with that are outside of the domains you trust.

 

Microsoft OneDrive does not provide email addresses to Code42. Therefore, email addresses that are outside of the domains you trust cannot be listed here for files shared in OneDrive.

 

Only the first 10 email addresses are listed. Investigate in Forensic Search to view other email addresses the file has been shared with that are outside trusted domains.

j Number of Files The total number of files impacted by the suspected exposure. 
k Total File Size The combined file size for the files impacted by the suspected exposure.
l File Categories The file categories of the files identified by this alert (for example:  Spreadsheet, Zip files).
m

Browser or app details

Only available for Exposure on an endpoint or Suspicious file mismatch alerts. Lists the destination category, application name, and tab name and URL to which the file was uploaded (when available) for "Read by browser or other app" events.

 

Only the first 10 destination categories, app names, tab names and URLs are listed. Investigate in Forensic Search to view any other browser activity that generated the alert.

n File events

The filename and path of the file that generated the alert.

 

Only the first 10 files are listed. Investigate in Forensic Search to view any other files that generated the alert.

o Dismiss Alert or Reopen Alert

For an open alert, click to remove this individual alert notification from the list of open alerts. This dismisses the notification for any teammates.

 

For an alert that has been dismissed, click to reopen this individual alert notification and return it to the list of open alerts.

p Investigate in Forensic Search Click to see these files in Forensic Search.

Manage Rules

Use the Manage Rules tab to view, edit, duplicate, and delete existing alert rules that trigger alert notifications.

To add or edit alert rules:

  1. Sign in to the Code42 console.
  2. Select Alerts > Manage Rules

Manage Rules tab of Alerts

Item Description
a Create Rule Creates a new rule that you can use to alert you when important data may be leaving your company.
b Review Alerts

Displays all of your alerts for the selected filters. For more information, see Review Alerts above.

c Manage Rules Displays all of the alert rules you have created. 
d Rule Name Name entered for the rule when it was created.
e Severity Severity of the alert that was selected when the rule was created.
f Created Date the rule was created.
g Last Modified Date the rule was last changed. 
h Enable

Click to enable or disable rules.

  • Enable: Allows the rule to notify of you of potential file exfiltration based on its settings. 
  • Disable: Stops the alert from firing for all users that were added to the rule. The alert will no longer generate new notifications on the Review Alerts tab.
i Column sort Hover over any column header to see the sort option. Click the up arrow to sort results by this column in ascending order. Click the down arrow to sort in descending order.
j Edit Edit alert rule Click to edit an alert rule. For information on the values you can change, see Create and manage alerts.
k Actions Actions for alert rule Click to make a copy of an existing rule or to delete a rule.
l Departing Employees or High Risk Employees badge Indicates a rule created by default when employees are added to the Departing Employees list or the High Risk Employees list
m Locked settingLocked setting Indicates that you cannot enable or disable this alert here. This rule is for the Departing Employees list and can be enabled or disabled from Detection > Departing Employees > Alert Settings.
n Rules per page Select to display 5, 10, 25 rules per page.
o Pagination Click the right and left arrows to scroll through pages of rules.

Rule details and criteria

For any alert rule listed on Manage Rules, click Edit Edit alert rule to view details about that rule. You can then change the rule name, description, or severity and edit the rule's criteria.

Rule details vary depending on the rule type. Specific rules may display different details than those shown in the example below.

Rule details and criteria

Item Description
a Rule type The rule type selected when the rule was created. Default alerts from the Departing Employees list or High Risk Employees list are labeled as such.
b Rule name, description, and severity The name, description, and severity selected when the rule was created. Rule names must be unique.
c Actions Actions for alert rule

Click to open the Actions menu where you can:

  • Edit the rule's name, description, and severity
  • Make a copy of the rule
  • Delete the rule
d Criteria

The criteria selected for the rule when the rule was created. The criteria varies depending on the rule type.

e Edit Edit alert rule Click to edit the criteria used for the rule.
  • Was this article helpful?