Departing Employees reference

Last updated
Save as PDF
Share
1. Share
2. Tweet

Who is this article for?

CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

From Departing Employees, you can review the file activity of employees leaving your company, helping you to:

Quickly identify suspicious file movement
Review endpoint and cloud services activity
See file activity for the previous 90 days

This article describes the information and options in the Departing Employees list.

For instructions on how to add users to Departing Employees and investigate suspicious file activity, see Add departing employees.

Considerations

Add Trusted Domains in Data Preferences to filter out Read by browser or other app file events from domains you trust. Adding trusted domains helps focus your investigation on file activity that may be a higher risk. File activity on a specific domain is only considered trusted starting the date the domain was added.
To work with departing employees, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for adding users to detection lists.
This functionality is available only if your product plan includes Risk Detection lenses. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial. If you don't know who your CSM is, email csmsupport@code42.com.

Departing Employees

To access the Departing Employees list:

Sign in to the Code42 console.
From the Departing Employees tile on the Risk Exposure dashboard, click any value, or go to Detection > Departing Employees.

Departing Employees list

The Departing Employees screen lists the users who have been added as departing employees.

List of departing employees

Item		Description
a	Alert Settings	Click to open the Alert Settings window, from which you can: Enable or disable all alerts for all departing employees. View details about the rules such as severity, who gets email notifications when the rule threshold is exceeded, as well as exposure type and thresholds for that rule. Click Manage Rule to go to the Alerts > Manage Rules tab and change the settings for the default Departing Employees alerts. From there, you can also update your custom alerts.
b	Add Departing Employee	Click to add a new user to the list of departing employees and start reviewing their file activity.
c	Total Departing Employees	Click to see a list of all departing employees. This option is selected by default.
d	Leaving Today	Click to see the employees that have a departure date of today.
e	Put Data at Risk in Last 24 Hours	Click to see the employees that had suspicious file activity in the past 24 hours.
f	Put Data at Risk in the Last 30 Days	Click to see the employees that had suspicious file activity in the past 30 days.
g	Employee	Displays the employee's name and Code42 username. Click their Code42 username to see their User Profile.
h	Department/Title	Displays the employee's department and their title if you use provisioning. (If you use User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the department and title attributes if you use Okta provisioning or PingOne provisioning.) If you don't use provisioning, this information does not appear and cannot be added manually.
i	Total File Events	Displays the number of file events in which a file was moved to removable media or cloud sync folders, read by a browser or other app, or had its cloud share permissions changed.
j	Total Size of Files	Lists the total size of the files included In the file event activity.
k	Departure Date	Lists the date entered for the employee's departure. If no date was entered, no value is listed.
l	User Profile Notes	Displays any additional information entered when the profile was created. If no notes were added, this field is blank. These notes are visible to your team members.
m	View profile	Opens the User Profile for the employee.
n	Remove employee	Removes the employee's profile from the Departing Employees list and from the view of your team members.
o	View event details	Click to view the employee's file events broken down by destination and file category group.
p	Rows per page	Select to display 10, 25, 50, or 100 employees per page.
q	Pagination	Click forward or backward to see pages of results.

User Profile

To view an employee's user profile, click the View profile icon View User Profile in the list of employees.

Employee information

Employee information on the profile of a departing employee

Item		Description
a	Departing Employee indicator	Indicates that this employee has been added to the Departing Employees list. Click to remove the employee from the Departing Employees list. This will remove the employee from the Departing Employees list for your team members as well.
b	Employee information	Displays a summary of the employee's information, including: Name Department* Title* Location* Manager* Employee's Code42 username Employee's cloud aliases (not shown in image) Departure Date (Departing Employees list only) Risk Factors (High Risk Employees list only) User Profile Notes (Departing Employees list and High Risk Employees list only) *Displays this information If your Code42 environment uses provisioning. (If you use Code42 User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the attributes if you use Okta provisioning or PingOne provisioning.) If you don't use provisioning, this information does not appear and cannot be added manually. If user attributes are not populated correctly, see Updated user attributes not populating in risk detection lists.
c	Profile details	Information that was added to the employee's profile from the Departing Employees list or High Risk Employees list.
d	Edit	Click to edit employee information, including cloud aliases, the departure date, and notes.

Endpoint activity

Item		Description
a	Endpoint activity	Shows file activity that occurred on the endpoint by destination and by file category group. File activity includes when files are added to a cloud sync folder on the device, opened in a browser or other app, or moved to an external device.
b	Cloud sharing	Shows file activity that occurred in a cloud service where permissions were increased to make a file available via direct link or publicly available on the web.
c	Last (on User Profile only)	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe shown.
d	Cloud services	Shows the cloud services provider that the file was synced to. Click a summary bar of data to see the file activity broken down by file category group.
e	Browser or app	Click to see the number of file events that indicate files were uploaded to a browser or an app such as Slack, AirDrop, FTP client, or curl. File category groups appear on the left. The selected filter is highlighted in blue. Hover over a summary bar of data to see a preview of these files broken down by file category.
f	Removable media	Click to see the number of file events that indicate files were moved to removable media, such as a USB drive. File category groups appear on the left. The selected filter is highlighted in blue. Hover over a summary bar of data to see a preview of these files broken down by file category. Click View event details to see removable media devices broken down by vendor and bus type. Removable media vendor preview If vendor details do not appear in this view, you can still view them in Forensic Search. The removable media vendor is not available in this view for file events that occurred prior to August 12, 2020. For example, you may see vendor details when looking at the last 7 days of file events, but if you switch to 90 days and that view includes file events that occurred before August 12, 2020, those details will not be available in this view. Instead, click Investigate in Forensic Search to see those details.
g	By file category group	Shows the summary of file activity for the following file categories: Business Documents Documents PDF Presentations Spreadsheets Zip Files Common archive file formats including compressed files. Source Code Common source code formats. Multimedia Audio Image Video Other Executable Script Uncategorized (files that did not fit any category) Virtual Disk Image For more information about file categories, see Forensic Search file categories.
h	Forensic Search icon	Click to see the search results for these files in Forensic Search.
i	View event details	Click to view the employee's file events broken down by file category group.

Cloud sharing

Item		Description
a	Endpoint activity	Shows file activity that occurred on the endpoint such as when files are added to a cloud sync folder on the device, opened in a browser or other app, or moved to an external device
b	Cloud sharing	Shows file activity that occurred in a cloud service where permissions were increased to make a file available via direct link or made publicly available on the web. Shows file activity by cloud service and file category group. Note: To see cloud sharing activity, you must allow Code42 access to your cloud services.
c	Last	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe shown.
d	Cloud service	Shows the cloud service in which files were made publicly available or shared via direct link. Cloud services include Box, Google, or Microsoft OneDrive.
e	File category group	Shows the summary of file activity for the following file categories: Business Documents Documents PDF Presentations Spreadsheets Zip Files Common archive file formats including compressed files. Source Code Common source code formats. Multimedia Audio Image Video Other Executable Script Uncategorized (files that did not fit any category) Virtual Disk Image For more information about file categories, see Forensic Search file categories.
f	Forensic Search icon	Click to see the search results for these files in Forensic Search.
g	View event details	Click to view the employee's file events broken down by destination.

Endpoint activity over time

This section displays file activity on the user's device, which helps identify suspicious file activity and potential file exfiltration.

Item		Description
a	Last	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe on the graph. Click to refresh the graph and show the latest data.
b	Activity type	Indicates the type of activity displayed in the graph.
c	Summary preview	Click a point on the graph to see a summary of that data point organized by file category group.
d	Risk indicators	Highlights file activity that has added risk. File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents, for example, a file with the .jpg extension that is actually a .zip file. Off hours - Indicates file activity that occurred outside the employee’s typical active hours. With File Metadata Collection enabled, Code42 captures file activity from an employee’s endpoint and uses that pattern of activity to highlight file activity that occurs during times a user is typically inactive (their off hours). The Off hours risk indicator: Is not based on a static or pre-populated schedule of “working” hours (for example, 9am-5pm). It is based on dynamic observation of file activity on each user’s endpoint. Does not measure keyboard and mouse activity or window focus. Does not track user “clock-ins” or “clock-outs” or otherwise measure or report on user productivity, focus, or attention. It takes several weeks of data to start identifying patterns, so the Off hours indicator does not appear right away for new users. Because employees aren’t active at the exact same times every day, Code42 continually adjusts what is considered “off hours activity” based on the observed file activity patterns each day. However, in some cases, if the user’s activity is too variable (for example, consistently changing from overnight activity to daytime activity on back-to-back weeks), we may not be able to observe a strong enough pattern of activity to determine typical active or off hours. In these cases, the Off hours risk indicator is not applied. Off Hours requires File Metadata Collection You must have File Metadata Collection enabled in order to see the Off Hours indicator. Off Hours appears only on the Endpoint File Activity graph While the File Mismatch indicator is shown on both the Endpoint File Activity and Cloud File Activity graphs for corresponding activity, the Off Hours indicator appears only on the Endpoint File Activity graph. Cloud services are not currently monitored for activity that occurs during off hours.
e	Forensic Search icon	Click to see the search results for these files in Forensic Search.
f	Graph	Provides a visual representation of file activity for the selected timeframe. Hover on a point in the graph to see a preview of the activity. Click a point on the graph to see the summary preview of that data point.
g	Show activity for	Select one of the following options to view the graph of that activity: On removable media: Shows a graph of file activity on removable media, such as a USB drive. Synced to cloud service: Shows a graph of activity where files were added to folders on a user's device that are typically used to sync to a cloud service. Read by browser or other app: Shows a graph of activity where files were opened by a browser or an app commonly used for uploading files, such as Slack, AirDrop, FTP client, or curl. Deleted files: Shows a graph of activity where files are added to the following locations: $Recycle.Bin, .local/share/Trash, and .Trash. Zip files: Shows a graph of activity for common archive file formats, including compressed files (.zip, .tar).

Cloud sharing over time

This section displays file activity for files in cloud services. It shows when a file is made publicly accessible or shared via a direct link.

Item		Description
a	Last	Select last 90 Days, 30 Days, 7 Days, or 1 Day to update the timeframe on the graph. Click to refresh the graph and show the latest data.
b	Activity type	Indicates the type of activity displayed in the graph.
c	Summary preview	Click a point on the graph to see a summary of that data point organized by file category group.
d	Risk Indicators	Highlights file activity that has added risk. File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents, for example, a file with the .jpg extension that is actually a .zip file.
e	Forensic Search icon	Click to see the search results for these files in Forensic Search.
f	Graph	Provides a visual representation of file activity for the selected timeframe. Hover on a point in the graph to see a preview of the activity. Click a point on the graph to see the summary preview of that data point.
g	Show activity for	Select one of the following options to view the graph of that activity: Public on the web (Google Drive): Shows files in Google Drive that were made public. Public via direct link (Google Drive): Shows files that were shared from Google Drive with a direct link. Public via direct link (OneDrive): Shows files that were shared from OneDrive with a direct link. Public via direct link (Box): Shows files that were shared from Box with a direct link. Zip files: Shows a graph of activity for common archive file formats, including compressed files (.zip, .tar).