Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

High Risk Employees reference

Overview

From the High Risk Employees list, you can quickly detect and respond to insider risks, helping you to:

  • Be alerted when suspicious file activity occurs from high-risk employees
  • Watch the file activity of employees with known risk factors
  • Review an employee's file activity from the previous 90 days

This article describes the information and options in the High Risk Employees list.

For instructions about how to add users to the High Risk Employees list and investigate suspicious file activity, see Add high risk employees.

Considerations

  • Add Trusted Domains in Data Preferences to hide file events that occur on domains you trust. Adding trusted domains helps focus your investigation on file activity that may be a higher risk. File activity on a specific domain is only considered trusted starting the date the domain was added. You can view all file activity, including events that occur on your trusted domains, in Forensic Search.

  • This functionality is available only if your product plan includes Risk Detection lenses. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial​​​. If you don't know who your CSM is, email csmsupport@code42.com

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Roles for Incydr. To learn which permissions on Incydr roles allow use of this functionality, see Permissions for Incydr. If you use other Code42 products, see Role assignment use cases.

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

High Risk Employees

To open the High Risk Employees list:

  1. Sign in to the Code42 console.
    The Risk Exposure dashboard opens.
  2. Click the High Risk Employees tile on the Risk Exposure dashboard, or go to User Activity > High Risk Employees. 

High Risk Employees list

The High Risk Employees screen lists the users whose activity shows a high risk of file exfiltration or loss to your organization. 

List of high risk employees

Item Description
a Alert settings Alert settings icon

Click to open the Alert Settings window, from which you can:

  • Enable or disable all alerts for all high-risk employees.
  • View details about the rules such as severity, recipients of email notifications when the rule threshold is exceeded, and exposure type and thresholds for that rule. 
  • Click Manage rule to go to Alerts > Manage Rules tab and change the settings for the default High Risk Employees alerts. From there, you can also update your custom alerts.
b Add high risk employee Click to add a new user to the list of high-risk employees and start reviewing their file activity.  
c Total high risk employees  Click View users to see a list of all high-risk employees. This option is selected by default.
d Put data at risk in last 24 hours Click View users to see the employees that had suspicious file activity in the past 24 hours.
e Put data at risk in the last 30 days Click View users to see the employees that had suspicious file activity in the past 30 days.
f Employee

Displays the employee's name and Code42 username. Click their Code42 username to see their User Profile.

g Department/Title

Displays the employee's department and their title if you use provisioning. (If you use Code42 User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. You must first add the department and title attributes if you use Okta provisioning or PingOne provisioning.) If you don't use provisioning, this information does not appear and cannot be added manually.

h Events Displays the number of file events in which a file was

moved to removable media or cloud sync folders, read by a browser or other app, or shared publicly via direct link or with specific users outside your trusted domains.

i Size Lists the total size of the files included In the file event activity.
j Risk factors

Attributes that were added to the employee's profile:

  • High impact employee - May be used when an employee has a special role or broad access to high-value data
  • Elevated access privileges - May be used when an employee has elevated privilege or access to sensitive systems
  • Performance concerns - May be used when an employee is dissatisfied or on an improvement plan
  • Flight risk - May be used when an employee is an active job seeker or potentially leaving the company
  • Suspicious system activity - May be used when an employee tried to access sensitive systems or raised alerts in other security monitoring systems
  • Poor security practices - May be used when an employee violated internal data or physical security policies
  • Contract employee - May be used when an employee is a contract or temporary employee
k User profile notes Displays any additional notes entered when the profile was created. If no notes were added, this field is blank.
l Filter list Filter

Filters the list of employees by:

  • Department - This information is automatically populated by your provisioning provider. If you don't use provisioning, this information does not appear and cannot be added manually. If departments are not populated correctly, see Provision user attributes to Code42.
  • Show - Defaults to All high risk employees. Options:
    • All high risk employees - Shows all employees that have been added to the High Risk Employees list, regardless of their file activity.
    • Only employees with file activity - Shows only those  high-risk employees that have had possible exfiltration file activity. 
  • Risk factors - Attributes that were added to the employee's profile. 
m View profile View profile Opens the User Profile page for the employee.
n Remove employee Remove user icon Removes the employee's profile from the High Risk Employees list. This removes the profile for all other members on your team as well.
o View event details View file event details Click to view the employee's file events broken down by destination and file category group.

User Profile

To view an employee's user profile, click View profile View profile in the list of employees. 

Employee information

Employee information on the profile of a high-risk employee

Item Description
a High Risk Employee indicator

Shows that this employee has been added to the High Risk Employees list. Click to jump to the High Risk Employees list. 

 

Click the "x" on the indicator to remove the employee from the High Risk Employees list. This will remove the employee from High Risk Employees list for your team members as well.

b Employee information

Displays a summary of the employee's information, including:

  • Name
  • Department* 
  • Title*
  • Location*
  • Manager*
  • Employee's Code42 username
  • Employee's cloud aliases (not shown in image)
  • Departure Date (Departing Employees list only)
  • Risk Factors (High Risk Employees list only)
  • User Profile Notes (Departing Employees list and High Risk Employees list only)

*Displays this information if your Code42 environment uses provisioning. (If you use Code42 User Directory Sync or SCIM provisioning, this information is automatically populated by your provisioning provider. If you use Azure AD provisioning, the attributes are automatically populated. You must first add the attributes if you use Okta provisioning or PingOne provisioning. ) If you don't use provisioning, this information does not appear and cannot be added manually. If user attributes are not populated correctly, see Provision user attributes to Code42.

 

c Profile details Information such as risk factors, departure date, or profile notes that was added to the employee's profile from the Departing Employees list or High Risk Employees list.
d Edit Edit icon Click to edit employee information, including cloud aliases, applied risk factors, and User profile notes.

Destination activity over time

Destination activity over time graph

Destinations are dynamic
The list of destinations shown on each tab of this graph is dynamic. Only destinations with file activity are shown.

For example, if there is no Box file activity in the selected timeframe, or if you have not given Code42 access to your Box environment for monitoring, the Box destination is not listed.

Item Description
a All activity

Shows all endpoint and cloud service activity across your organization. (To see cloud service activity, give Code42 access to your cloud services.)

 

File events include files:

  • Moved to removable media or cloud sync folders
  • Viewed in a browser or other app
  • Shared publicly via direct link
b Remote activity

Shows all remote file activity that occurred on an endpoint. File events can include files moved to removable media or cloud sync folders, or viewed in a browser or other app.

 

When configured, remote activity is detected for endpoint events from out-of-network IP addresses. The Remote activity tab does not show cloud sharing events.

c Destination Displays the currently selected destination.
d

Choose destination

 

 

Select a destination to see where the file was sent. Destinations include:

  • AirDrop: Files were sent to a device via AirDrop. The destination category for AirDrop events is listed as "Device" in the Exposure section of Forensic Search. 
  • Cloud destinations: The file was synced to a cloud service, shared publicly via direct link, or shared with specific users outside your trusted domains. 
    • Cloud sharing activity includes file activity from Box, Google Drive, and OneDrive and details how the file was shared (for example, public via direct link).
    • Cloud folder sync activity (when a file exists in a folder on the device that is used for syncing with a cloud service) includes activity from:

      • Apple iCloud
      • Box
      • Box Drive
      • Dropbox
      • Google Backup and Sync
      • Google Drive
      • Microsoft OneDrive
  • Email services: The file was uploaded to an email provider via a web browser.
  • Messaging services: The file was sent via a messaging service. 
  • Removable media: The file was moved to an external device such as a USB drive or hard drive. Click View event details to see file activity broken out by removable media device vendor. 
  • Social media: The file was uploaded to social media. This does not necessarily mean it's posted publicly; for example, the file could have been sent in a direct message on LinkedIn, etc.
  • Source code repository: The file was uploaded to a location typically used for storing code files.
  • Other: File activity where the destination does not match any of the above destinations, or in the following special cases:
    • Files were opened in an app that is commonly used for uploading files such as FTP client or curl
    • We cannot determine the destination. On Macs, this may indicate Code42 does not have the required permissions to collect the destination details.
    • Multiple possibilities appears if the user accessed more than one tab while uploads were in progress. Review the Active tab titles and URLs to identify all possible destinations.
e Events Number of file events associated with the destination for the selected timeframe.
f Events bar graph Shows a visual representation of the number of file events. 
g Size Total size of files involved with the file activity.
h Activity preview Shows a visual representation of file activity for the selected timeframe.
i Risk indicators

Highlights file activity that has added risk. For more information about insider risk indicators, see Introduction to risk indicators .

 

File Mismatch - Indicates that the files involved with the file activity have extensions that do not match the file contents. For example, a file with the .jpg extension that is actually a .zip file.

 

Off hours - Indicates file activity that occurred outside the employee’s typical active hours. With File Metadata Collection enabled, Code42 captures file activity from an employee’s endpoint and uses that pattern of activity to highlight file activity that occurs during times a user is typically inactive (their off hours).

Off Hours requires File Metadata Collection
You must have File Metadata Collection enabled in order to see the Off Hours indicator. 
Off Hours appears only for endpoint activity
While the File Mismatch indicator is shown for both the endpoint and cloud sharing file activity, the Off Hours indicator only appears on endpoint events. Cloud services are not currently monitored for activity that occurs during off hours. 
j Forensic Search Investigate in Forensic Search Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
k View event details View event details Click to view the file events broken down by file category group.

File categories

File activity by file category

 
Item Description
a Endpoint activity Shows all endpoint file activity across your organization. File events include files moved to removable media or cloud sync folders, or viewed in a browser or other app.
b Cloud sharing Shows file activity where permissions were increased on a file in your cloud services, making the file shared publicly via direct link. This tab requires Code42 access to your cloud services.
c File category group

Shows the summary of file activity for the following file categories:

  • Business Documents
    • Documents
    • PDF
    • Presentations
    • Spreadsheets
  • Zip Files
    Common archive file formats including compressed files.
  • Source Code
    Common source code formats.
  • Multimedia 
    • Audio
    • Image
    • Video
  • Other
    • Executable
    • Script
    • Uncategorized (files that did not fit any category)
    • Virtual Disk Image

For more information about file categories, see Forensic Search file categories.

d Events Displays the count of total file events for a file category group. The default sort order is from the highest number of events to the lowest. 
e Events bar graph Shows a visual representation of the number of file events.
f Size Displays the total file size of file events for a file category group. 
g Activity preview Shows a visual representation of file activity for the selected timeframe.
h Forensic Search Investigate in Forensic Search Opens Forensic Search and pre-populates it with the selected timeframe and exposure type. Learn more about using Forensic Search.
i View event details View event details Click to view the details of file events for a file category group.
  • Was this article helpful?