Departing Employees reference

Overview

From Departing Employees, you can review the file activity of employees leaving your company, helping you to:

Quickly identify suspicious file movement
Review endpoint and cloud services activity
See previous file activity

This article describes the information and options in the Departing Employees list.

For instructions on how to add users to Departing Employees and investigate suspicious file activity, see Add departing employees.

Considerations

Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings reduces noise by only showing untrusted file events in Incydr security event dashboards, user profiles, and alerts. All file activity is still visible in Forensic Search.
To use this functionality, Incydr users must be assigned specific roles. For more information, see Roles for Incydr. To learn which permissions on Incydr roles allow use of this functionality, see Permissions for Incydr. If you use other Code42 products, see Role assignment use cases.
This functionality is available only if your product plan includes Risk Detection lenses. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan for a free trial. If you do not know your CSM, please contact our Customer Champions.

Departing Employees

To access the Departing Employees list:

Sign in to the Code42 console.
From the Departing Employees tile on the Risk Exposure dashboard, click any value, or go to User Activity > Departing Employees.

Departing Employees list

The Departing Employees screen lists the users who have been added as departing employees.

Departing employees list

Item		Description
a	Trust settings	Indicates trust settings are applied to this page, which filters your view to only show the riskiest activity. Click to learn more and to view your trust settings. Code42 excludes trusted file activity from appearing on dashboards, detection lists, user profiles, and alerts. Trusted activity is the file activity that occurs on your trusted domains and IP addresses as well as your approved cloud destinations.
b	Risk settings	Click to open Risk settings, from which you can set the score of each risk indicator. Scores are used to calculate the severity of each file event. For more information about Risk settings, see Risk settings reference. To edit risk settings, you must have the Customer Cloud Admin, Insider Risk Admin, or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.
c	Alert settings	Click to open Alert Settings, from which you can: Enable or disable all alerts for all departing employees. View details about the rules, such as severity, who gets email notifications when the rule threshold is exceeded, as well as exposure type and thresholds for that rule. Click View rule to go to Manage Rules and change the settings for the default Departing Employees alerts. From there, you can also update your custom alerts.
d	Selected time frame	Shows the time frame the file activity occurred in. Click to change the time frame.
e	Add to list	Click to add a user to the Departing Employees list.
f	Quick filters	Click View users on any of the filters to only see employees in the list with file events of that severity or with that departure date. Click the "X" on a filter applied to the list to remove it.
g	User	Displays the employee's name, department and title, and the Departing Employee indicator. The employee's department and title are displayed if you use provisioning. (If you use User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the department and title attributes if you use Okta provisioning or PingOne provisioning.) If you don't use provisioning, this information does not appear and cannot be added manually.
h	Critical events	Displays file events with an overall risk score of 9+. Risk scores are defined for individual risk indicators in Risk settings. For each file event, the score of each applicable risk indicator is added up to an overall risk score. The overall risk score determines the severity of each file event. For more information about how risk scores are calculated and how risk scores applies to event severity, see Risk settings reference.
i	High events	Displays file events with an overall risk score of 7-8. Risk scores are defined for individual risk indicators in Risk settings. For each file event, the score of each applicable risk indicator is added up to an overall risk score. The overall risk score determines the severity of each file event. For more information about how risk scores are calculated and how risk scores applies to event severity, see Risk settings reference.
j	Moderate events	Displays file events with an overall risk score of 4-6. Risk scores are defined for individual risk indicators in Risk settings. For each file event, the score of each applicable risk indicator is added up to an overall risk score. The overall risk score determines the severity of each file event. For more information about how risk scores are calculated and how risk scores applies to event severity, see Risk settings reference.
k	Low events	Displays file events with an overall risk score of 1-3. Risk scores are defined for individual risk indicators in Risk settings. For each file event, the score of each applicable risk indicator is added up to an overall risk score. The overall risk score determines the severity of each file event. For more information about how risk scores are calculated and how risk scores applies to event severity, see Risk settings reference.
l	Departure date	Lists the date entered for the employee's last day. If no date was entered, no value is listed.
m	Destination indicators	Risk indicator based on where a file is moved or uploaded.
n	File indicators	Risk indicator based on the type of file, as determined by the file extension and file contents.
o	User indicators	Risk indicator based on user behavior automatically detected by Incydr and inclusion in high risk user groups, such as departing employees.
p	Notes	Displays any additional notes entered when the profile was created. If no notes were added, this field is blank. These notes are visible to your team members.
q	Filter	Click to filter the list by: Event severity Departure date Risk indicators Username Department (requires provisioning) High-risk user groups such as contract employees or flight risk. User groups are assigned when you add an employee to the High Risk Employees list.
r	Action menu	Click to select: View profile: Opens the employee's User Profile where you can view their past file events. View events in Forensic Search: Opens the employee's file events in Forensic Search where you can see greater detail about the file events. Remove user: Takes the employee off the list and removes them from any default alerts for the list. You can see any users file activity by searching for their User Profile.
s	View event details	Click to view the employee's file events by risk score and date observed as well as the filename and details of the files impacted by the events.

View details

From the list of users, click View details to see more information about a user's file activity.

Item		Description
a	Selected time frame	Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the Risk Exposure dashboard. Changing the time frame updates all the data you see on the Risk Exposure dashboard and User Profiles.
b	User	Displays a summary of the employee's information, including: Name Department* Title* Risk detection lists the employee has been added to Notes that have been added to the employee's profile *Displays this information if your Code42 environment uses provisioning. For more information, see Provision user attributes to Code42.
c	View profile	Opens the User Profile for the employee.
d	Notes	Click Add notes to add more details to the user's profile. If notes already exist, click Edit to modify existing notes.
e	Risk indicator events	Displays counts of each file event severity with associated risk indicators. For more information about risk indicators, see Risk settings reference.
f	Investigate in Forensic Search	Opens the events with risk indicators in Forensic Search. Learn more about using Forensic Search.
g	Filter	Click to show filters and then select risk indicator filters to filter the shown list of events. To remove a selected filter, click it again.
h	By risk score	Click to show file events by risk score in descending order.
i	By date observed	Click to show file events by the date the event occurred with latest events on top.
j	Filename/Details	Shows filename, risk indicators, risk score, and other details pertaining to the file event. If the filename is shown as a blue hyperlink, you can download the file from this location. If the filename is not a blue hyperlink, you may be able to download the file in Forensic Search. To view all file events, click Investigate in Forensic Search .

User Profile

To view an employee's user profile, in the list of employees, click the Action menu and select View profile.

Employee information

User information on the profile of a departing employee

Item		Description
a	Employee information	Displays a summary of the employee's information, including: Name Department* Title* Location* Manager* Employee's Code42 username Employee's cloud aliases Departure Date (Departing Employees list only) Risk Factors (High Risk Employees list only) User Profile Notes (Departing Employees list and High Risk Employees list only) *Displays this information if your Code42 environment uses provisioning. (If you use Code42 User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. If you use Azure AD provisioning, the attributes are automatically populated. You must first add the attributes if you use Okta provisioning or PingOne provisioning. ) If you don't use provisioning, this information does not appear and cannot be added manually. If user attributes are not populated correctly, see Provision user attributes to Code42.
b	Departing Employee indicator and Add to list button	Shows that this employee has been added to the Departing Employees list. Click to jump to the Departing Employees list. Click the "x" on the indicator to remove the employee from the Departing Employees list and from any default alerts for the Departing Employees list. Click Add to list to add this employee to the High Risk Employees list.
c	Profile details	Information such as high risk user groups or departure date that were added to the user's profile as well as their manager (from provisioning), username, and cloud aliases.
d	Notes	Information added to the user profile when the profile was created.
e	Edit	Click to edit employee information, including cloud aliases, departure date, and notes.

Destination activity over time

Destinations are dynamic
The list of destinations shown is dynamic. Only destinations with file activity are shown.

For example, if there is no Box file activity in the selected timeframe, or if you have not given Code42 access to your Box environment for monitoring, the Box corporate data connector is not listed.

Item		Description
a	Selected time frame	Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page.
b	Selected destination	Lists the destination you are viewing.
c	Choose destination	Select a destination to see where the file was sent. Destinations include: AirDrop: Files were sent to a device via AirDrop. The destination category for AirDrop events is listed as "Device" in the Exposure section of Forensic Search. Cloud destinations: The file exists in a folder on the user's device that is used for syncing with a cloud service. Cloud folder sync activity includes activity for: Apple iCloud Box Box Drive Dropbox Google Backup and Sync Google Drive Microsoft OneDrive Cloud data connectors: The file was shared from your corporate cloud storage with either a direct share or with a public link. Cloud sharing activity includes shares from your corporate Box, Google Drive, and OneDrive and details how the file was shared (for example, public link from corporate Box). You must connect at least one cloud storage environment to Code42 to see cloud destination file activity. Email services: The file was uploaded from an endpoint to email provider via a web browser. Email data connectors: The file was sent from one of the following corporate email services: Gmail Microsoft Office 365 Messaging services: The file was sent via a messaging service. Removable media: The file was moved to an external device such as a USB drive or hard drive. Click View event details to see file activity broken out by removable media device vendor. Social media: The file was uploaded to social media. This does not necessarily mean it's posted publicly. For example, the file could have been sent in a direct message on LinkedIn. Source code repository: The file was uploaded to a location typically used for storing code files. Other: File activity where the destination does not match any of the above destinations, or in the following special cases: Files were opened in an app that is commonly used for uploading files such as FTP client or curl. We cannot determine the destination. On Macs, this may indicate Code42 does not have the required permissions to collect the destination details. Multiple possibilities appears if the user accessed more than one tab while uploads were in progress. Review the Active tab titles and URLs to identify all possible destinations. Other destination The Other destination does not show the Events bar graph and is shown at the bottom of the list of destinations regardless of sort order.
d	Events	Number of file events associated with the destination for the selected timeframe.
e	Size	Total size of files involved with the file activity.
f	Activity preview	Shows a visual representation of file activity for the selected timeframe.
g	Forensic Search	Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
h	View event details	Click to view the file events broken down by file category group.

File categories

Item		Description
a	Endpoint activity	Shows file activity that occurred on your employee's devices.
b	Cloud sharing	Shows files shared from your corporate cloud storage with either a direct share or a public link.
c	File category group	Shows the summary of file activity for the following file categories: Business Documents Documents PDF Presentations Spreadsheets Zip Files Common archive file formats including compressed files. Source Code Common source code formats. Multimedia Audio Image Video Other Executable Script Uncategorized (files that did not fit any category) Virtual Disk Image For more information about file categories, see Incydr file categories.
d	Events	Displays the count of total file events for a file category group and a visual representation of the number of file events. File events include when files are: Moved to removable media or cloud sync folders Uploaded via a browser or other app Shared publicly or directly from your corporate cloud storage* Sent from your corporate email provider* *Requires Code42 have access to monitor your cloud storage environment and email services. The default sort order is from the highest number of events to the lowest.
e	Size	Displays the total file size of file events for a file category group.
f	Activity preview	Shows a visual representation of file activity for the selected time frame.
g	Selected time frame	Shows the time frame the file activity occurred in. Change the time frame in the upper-right corner of the page.
h	Forensic Search	Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
i	View details	Click to view the details of file events for a file category group.