Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Manage Rules reference

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

Code42 Alerts let you know when important data may be leaving your company. Use the Manage Rules table to view or update the different alert rules you have in your Code42 environment that trigger these notifications.

This article is a reference guide with detailed descriptions of the rules in the Manage Rules table. You can also use Alerts to view and dismiss the alert notifications generated by these rules. For information about alert notifications, see Review Alerts reference. For information on creating and configuring security alert rules, see Create and manage alert rules.

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Roles for Incydr. To learn which permissions on Incydr roles allow use of this functionality, see Permissions for Incydr. If you use other Code42 products, see Role assignment use cases.

  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial​​​. If you don't know who your CSM is, email csmsupport@code42.com

  • You must connect at least one cloud service to Code42 to see cloud-related file activity. 

Manage Rules

Use the Manage Rules screen to view, create, edit, duplicate, and delete existing alert rules that trigger alert notifications.

To add or edit alert rules:

  1. Sign in to the Code42 console.
  2. Select Alerts > Manage Rules.
    Manage Rules table
Item Description
a Create rule Creates a new rule that you can use to alert you when important data may be leaving your company.
b Recommended rules

Creates a new rule from a pre-configured template that has recommended settings. Click one of the rule names to start creating a rule from that template, or click View all recommendations to view all of the recommended rules. You can change and customize the settings to match your specific needs.

c Rule name Name entered for the rule when it was created.
d Severity Severity of the alert that was selected when the rule was created.
e Created Date the rule was created.
f Column sort Sort column Hover over any column header to see the sort option. Click the up arrow to sort results by this column in ascending order. Click the down arrow to sort in descending order.
g Last modified Date the rule was last changed. 
h Enable

Click to enable or disable rules.

  • Enable: Allows the rule to notify of you of potential file exfiltration based on its settings. 
  • Disable: Stops the alert from firing for all users that were added to the rule. The alert will no longer generate new notifications on the Review Alerts tab.
i Departing Employees or High Risk Employees badge Identifies a rule that is created by default when employees are added to the Departing Employees list or the High Risk Employees list
j Locked setting Locked setting

Indicates that you cannot enable or disable this default alert rule here. Default rules that are automatically created from the Departing Employees list or the High Risk Employees list can only be enabled or disabled in those lists.

 

For example, this rule is for the Departing Employees list and can be enabled or disabled from Detection > Departing Employees > Alert Settings.

k Actions Actions for alert rule Click to make a copy of an existing rule or to delete a rule. You cannot delete a default rule that is automatically created from the Departing Employees list or the High Risk Employees list.
l View View Click to view an alert rule's settings. For more information on editing rule settings, see Create and manage alert rules.
m Rows per page Select the number of rules to display on each page.
n Pagination Click the right and left arrows to scroll through pages of rules.

Recommended rule templates

Code42 includes a number of pre-configured, recommended rule templates. You can quickly create rules from these templates, modifying the default settings to match your needs and environment.

Recommended rule templates

To start creating a rule from a template:

  • If the template you want appears in the Recommended rules list, click its name.
  • Otherwise, click View all recommendations to view all recommended rule templates and then click the rule name. 

When the Step 1 of 3 panel opens for that template, use it to customize the rule for your unique needs and environment. Each recommended rule template uses alert rule settings to identify the specific file activity to alert on.

Alert rule settings

To create an alert rule, you select rule settings that match the activity you want to be alerted about. You can mix and match settings as needed to target specific activity your organization has identified as carrying the most risk.

Alert rule settings

For more information about a setting, follow these links:

  1. Filename or extension
  2. File categories
  3. File extension mismatch
  4. File volume
  5. Destination
  6. Individual users

After adding settings to a rule, complete the rule by naming it and giving it a description, selecting its severity, and identifying the users you want to notify when Code42 detects activity matching the rule's criteria.

View rule

For any alert rule listed in the Manage Rules table, click View View icon to view details about that rule. You can then change the rule name, description, or severity and add or edit the rule's settings.

Rule details vary. Specific rules may display different details than those shown in the example below.

View rule settings

Item Description
a Rule name and description

The name and description entered when the rule was created. Rule names must be unique.

If the rule is a default rule created from the Departing Employees list or High Risk Employees list, the View rule panel identifies it as such.

 

b Severity The severity selected when the rule was created.
c Actions menu Actions icon

Click Actions for alert rule to open the Actions menu where you can:

  • Edit the rule's name, description, and severity.
    If the rule is a default rule created from the Departing Employees list or High Risk Employees list, you can change only the rule's severity.
  • Make a copy of the rule.
  • Delete the rule.
    You cannot delete a default rule. However, you can enable or disable these rules from the corresponding lists.
d Rule settings

The settings that were added to the rule when it was created. The options selected for each setting are also listed. Click the "more" link when it appears to view all of the options selected for that setting

e Add settings Click to add a new setting to the rule and select its options.
f Edit Edit alert rule Click to update the options selected for that setting, or to update the email addresses to which notification emails are sent when an alert is generated.
g Show default settings

By default, Code42 automatically monitors for all file activity, and uses the options you select in rule settings as filters to alert only on matching activity to reduce noise. To view the default rule settings that Code42 automatically uses for the rule, click Show default criteria


You can edit these settings to add them to the rule with specific options as filters, as needed.

h Actions

The email addresses of the users who are automatically notified when activity that matches the rule is detected. Click Edit Edit alert rule to update these addresses as needed.

 

If you do not enter any email addresses, Code42 does not send any emails but still collects information about the file activity that triggers the alert. You can view these notifications in the Review Alerts table.

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you will not be notified by alert rules when file events occur on domains you trust. Go to Settings > Data Preferences to update trusted domains settings as needed.
  • Was this article helpful?