Who is this article for?
Code42 for Enterprise, yes.
CrashPlan for Small Business, no.
This article applies to Code42 cloud environments.
Other available versions:
Code42 Alerts let you know when important data may be leaving your company. You can also use Alerts to view or update the different alert rules you have in your Code42 environment that trigger these notifications.
This article is a reference guide with detailed descriptions of each item in Code42's Alerts. For information on creating and configuring security alerts, see Create and manage alerts.
- To work with alerts, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for adding users to detection lists.
If you have the Code42 Diamond product plan, you must be licensed for at least one cloud service to see cloud-related file activity.
File events for Forensic Search and Alerts appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.
Alert notifications appear on the Review Alerts tab when thresholds defined in alert rules are exceeded.
Code42 automatically filters Read by browser or other app file events to alert you only about activity that occurs outside the domains you trust. While Code42 still records this activity (and you can view it in Forensic Search), you will not be notified by either the Exposure on an endpoint or Suspicious file mismatch alert rules when these file events occur on domains you trust. Go to Settings > Data Preferences to update trusted domains settings as needed.
To view alert notifications:
- Sign in to the Code42 console.
- Select Alerts > Review Alerts.
|a||Create rule||Creates a new rule to alert you when important data may be leaving your company.|
Displays all of your alerts for the selected filters.
|c||Manage Rules||Displays all of the security alert rules that have been created. For more information, see Manage Rules below.|
Filters your view of alerts by the following:
The alert filters are based on options you selected or entered when creating the rule for the alert.
Search operator options vary based on search type.
Defines the criteria for the search.
For multi-value searches (Is either or Is neither), enter each value on a separate line. Do not enter a comma-separated list.
Wildcards are not supported.
|g||Remove filter||Removes this filter.|
|h||Add filter||Adds another filter. Results only return events that match all filters.|
Selects all alerts and presents an action button (Dismiss alerts or Reopen alerts). Click the button to perform that action on all selected alerts at once.
You cannot add notes when you dismiss or reopen multiple alerts at once.
|j||Column sort||Click the column header to sort results by this column in ascending or descending order.|
|k||Dismiss or Reopen alert||
Opens a menu to dismiss or reopen the current alert. You can also choose to add a note to the alert before you dismiss or reopen it.
|l||View detail||Click to view alert details for this notification. Includes file event information, file count and size, and file categories involved in the event.|
|m||Default alert indicator||Identifies default alerts from the Departing Employees list or High Risk Employees list.|
For any alert listed on Review Alerts, click View details to see more information about the alert notification.
Alert details vary depending on the type of activity that triggered the alert. Specific alerts may display different details than those shown in the example below.
|a||Alert name||The name of the rule that was entered when the rule was created. If the rule is a default alert from the Departing Employees list or High Risk Employees list, the default alert indicator appears above in the title bar to identify it as such.|
|b||Severity||The severity of the rule that was selected when the rule was created.|
The description of the rule that was entered when the rule was created.
Any notes that have been entered for the alert.
|e||Username or Actor||
The Code42 username or the cloud alias associated with the file events that triggered the alert.
For Exposure on an endpoint alerts, lists the public IP address involved in the file activity. If the IP address is not collected, this row does not appear.
Remote activity highlights file activity by IP addresses that are not listed as an in-network IP address in Administration > Settings > Data Preferences.
Permission Changed To*
Suspicious File Mismatch*
*Not shown in image
The type of exposure that triggered the alert.
Exposure on an endpoint
Exposure Type lists the type of file activity on an endpoint that triggered the alert. This kind of activity also appears on the Endpoint File Activity dashboard.
Cloud share permission changes (not shown in image above)
Permission Changed To indicates the change by which a file stored in a cloud service becomes publicly accessible. This kind of activity also appears on the Cloud File Activity dashboard.
Not available in the Code42 federal environment
The cloud share permission changes rule type is not available in the Code42 federal environment
Suspicious file mismatch (not shown in image above)
Suspicious File Mismatch indicates the file's contents and its extension don't match. For example, the file's contents indicate that it is a PDF, but it has been renamed to have a JPG extension.
|h||Time Range of Events||
Displays the time period in which the file activity occurred.
* Not shown in image
For Cloud share permission changes alerts, Shared with identifies the domains (such as "example.com") and email addresses (such as "email@example.com") the file has been shared with that are outside of the domains you trust.
Microsoft OneDrive does not provide email addresses to Code42. Therefore, email addresses that are outside of the domains you trust cannot be listed here for files shared in OneDrive.
Only the first 10 email addresses are listed. Investigate in Forensic Search to view other email addresses the file has been shared with that are outside trusted domains.
|i||Number of Files||The total number of files impacted by the suspected exposure.|
|j||Total File Size||The combined file size for the files impacted by the suspected exposure.|
|k||File Categories||The file categories of the files identified by this alert (for example: Spreadsheet, Zip files).|
The filename and path of the file that generated the alert.
Only the first 10 files are listed. Investigate in Forensic Search to view any other files that generated the alert.
|m||Dismiss Alert or Reopen Alert||
For an open alert, click to remove this individual alert notification from the list of open alerts. This dismisses the notification for any teammates.
For an alert that has been dismissed, click to reopen this individual alert notification and return it to the list of open alerts.
|n||Investigate in Forensic Search||Click to see these files in Forensic Search.|
Use the Manage Rules tab to view, edit, duplicate, and delete existing alert rules that trigger alert notifications.
To add or edit alert rules:
- Sign in to the Code42 console.
- Select Alerts > Manage Rules.
|a||Create Rule||Creates a new rule that you can use to alert you when important data may be leaving your company.|
Displays all of your alerts for the selected filters. For more information, see Review Alerts above.
|c||Manage Rules||Displays all of the alert rules you have created.|
|d||Rule Name||Name entered for the rule when it was created.|
|e||Severity||Severity of the alert that was selected when the rule was created.|
|f||Created||Date the rule was created.|
|g||Last Modified||Date the rule was last changed.|
Click to enable or disable rules.
|i||Column sort||Hover over any column header to see the sort option. Click the up arrow to sort results by this column in ascending order. Click the down arrow to sort in descending order.|
|j||Edit||Click to edit an alert rule. For information on the values you can change, see Create and manage alerts.|
|k||Actions||Click to make a copy of an existing rule or to delete a rule.|
|l||Departing Employees or High Risk Employees badge||Indicates a rule created by default when employees are added to the Departing Employees list or the High Risk Employees list.|
|m||Locked setting||Indicates that you cannot enable or disable this alert here. This rule is for the Departing Employees list and can be enabled or disabled from Detection > Departing Employees > Alert Settings.|
|n||Rules per page||Select to display 5, 10, 25 rules per page.|
|o||Pagination||Click the right and left arrows to scroll through pages of rules.|
Rule details and criteria
For any alert rule listed on Manage Rules, click Edit to view details about that rule. You can then change the rule name, description, or severity and edit the rule's criteria.
Rule details vary depending on the rule type. Specific rules may display different details than those shown in the example below.
|a||Rule type||The rule type selected when the rule was created. Default alerts from the Departing Employees list or High Risk Employees list are labeled as such.|
|b||Rule name, description, and severity||The name, description, and severity selected when the rule was created.|
Click to open the Actions menu where you can:
The criteria selected for the rule when the rule was created. The criteria varies depending on the rule type.
|e||Edit||Click to edit the criteria used for the rule.|