Skip to main content

Who is this article for?

Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Code42 Support

Recommended rules reference


The list of Recommended rules at the top of the Manage Rules screen contains a number of pre-configured templates. Customize the default settings in these templates to quickly create alert rules that notify you when activity occurs that your organization finds risky.

Recommended rules

To view recommended rule templates, select Alerts > Manage Rules. A number of the recommended rules appear at the top of the screen, but more are available. To create a rule from one of the templates:

  • If the recommended rule you want to use is already listed, click its name.
    Recommended rule templates in Alerts
  • Otherwise, click View all recommendations to view all recommended rules, and then click the rule name.
    All recommended rules

When the Step 1 of 3 panel opens for that template, use it to customize the rule for your unique needs and environment. Each recommended rule template uses alert rule settings to identify the specific file activity to alert on.


Earnings report exfiltration

Earnings reports contain a wealth of information about your organization's financial health and outlook. The Earnings report exfiltration recommended rule can notify you about potential exfiltration of this valuable business data prior to its official release. This recommended rule uses the Filename or extension setting to monitor the movement of files that contain references to "earnings" or "financial" in their filenames.

Rule settings: Filename or extension criteria

  • *earning*report*
  • *earning*Q?
  • *Q*report
  • *board*deck*
  • *audit*committee*
  • *disclosure*committee
  • *financial*statement*

Tips to customize this rule: Add the Individual users setting and exclude the usernames of members of your Finance team. This prevents the rule from being triggered by expected activity as these team members collaborate on and exchange financial reports.

Microsoft Outlook exfiltration

Employee inboxes contain a wealth of important business information in the form of emails exchanged about projects and opportunities. Secure these communications by using the Microsoft Outlook exfiltration recommended rule to monitor the movement of inbox archive files. This recommended rule uses the Filename or extension setting to monitor file extensions associated with Microsoft Outlook messages, calendar, and contact data.

Rule settings: Filename or extension criteria

  • *.pst
  • *.olm
  • *.ost

Tips to customize this rule: Add the Destination setting and select the External devices and Cloud storage options to monitor when such files are moved to these destinations for external access. (These files can be large, so exfiltration via personal email is not likely.)

Password exfiltration

Some password management systems install a client application on employee devices for local password database storage. For example, KeePass stores passwords in encrypted .KDBX files, while LastPass stores passwords in encrypted .PASS files. Although these files are encrypted and can only be accessed with a master password, they can be viewed by anyone with that master password and an installed version of the password management software. The Password exfiltration recommended rule uses the Filename or extension setting to track the movement of such password files to identify possible exfiltration.

This same rule also tracks the movement of files that may contain login credentials and passwords based on filenames containing common and obvious words, such as "credentials," "login," or "usernames."

Rule settingsFilename or extension criteria

  • *.pass
  • *password*
  • *p*word*
  • *login*
  • *credentials*
  • *creds*
  • *usernames*
  • *user*names*
  • *pwd
  • *pswd
  • *.kdbx

Tips to customize this rule: Add the Destination setting and select common exfiltration vectors to watch these locations.

  • External media: Select Removable media
  • Cloud storage: Select all options
  • Email services: Select all options

Source code exfiltration by extension

The scripts and code created by software developers is essential intellectual property for many businesses. The Source code exfiltration by extension recommended rule monitors the possible exfiltration of those files by watching specific file extensions associated with source code files.

Rule settings: Filename or extension criteria

  • *.py
  • *.java
  • *.cs
  • *.net
  • *.c
  • *.pl
  • *.cgi
  • *.cpp
  • *.php

Tips to customize this rule:

  • If you use a programming language that uses file extensions that are not listed above, add them to the Filename or extension setting.
  • Add the Individual users setting and exclude the usernames of members of your QA team (for example). This filters out that expected activity so that you are not alerted as members of your QA team upload and exchange files as part of their testing.
  • Add the Destination setting and make sure that the options for the source code repositories you use are not checked. This prevents you from being alerted about everyday uploads to your corporate source code repository by software developers.

Salesforce report exfiltration

Salesforce users can generate a number of reports that contain valuable sales, finance, and contact data. To detect the unauthorized release or access of this important business information, use the Salesforce report exfiltration recommended rule to identify file events associated with such reports.

Rule settingsFilename or extension criteria

  • report?????????????.csv
  • report?????????????.xls

Tips to customize this rule

  • When a user generates a report, Salesforce by default suggests a filename of "report" followed by a 13-number string. (Each ? wildcard in the filename or extension criteria is standing in for one of these numbers in that default string.) Note that users can change that suggested filename. If your organization uses a different naming convention for Salesforce reports, add that convention to the Filename or extension criteria. 
  • Ensure that your Code42 administrator has added the domains your organization uses for its Salesforce and corporate cloud service environments to the trusted domains list. Doing so prevents the rule from being triggered by expected file activity generated by your sales team as they collaborate on leads and opportunities.

File categories

Source code email exfiltration

Like the Source code exfiltration by extension recommended rule, this recommended rule monitors the possible exfiltration of your important software intellectual property. However, this rule differs in two ways:

  • It monitors file classifications normally associated with common programming languages.
  • It watches for uploads of those files to personal email services to be sent as email attachments.

Rule settings:

  • Destination: Includes all Email services
  • File categories: Source code
    Remember that the examples listed for the Source Code file category are not exhaustive. It contains many more file extensions that are not listed. Keep in mind that file extensions are not the only method Code42 uses to identify a file's category.

Tips to customize this rule: As with the Source code exfiltration by extension recommended rule, add individual users or destinations as filters so that the rule is not triggered by expected activity.

Zip file exfiltration

Zip or archive files are a useful way to compress large or multiple files into more manageable packages for collaboration, but can also be used to conceal the business content that is being exfiltrated. The Zip file exfiltration recommended rule notifies you when such archive files are involved in file activity so that you can determine whether additional investigation is warranted.

Rule settingsFile categories > Zip

Tips to customize this rule:

  • Add the File volume setting to specify either a total file count or cumulative file size threshold (or both) after which the alert should be triggered. If your users generally exchange a small number of archive files for feedback and collaboration, this setting filters out that expected activity to improve fidelity.
  • Add the Destination setting and select applicable destinations other than Email services. Generally, most email services inherently prevent archive files from being attached to messages.

User behaviors

Cloud share permission changes

Like the recommended rules above, this template uses the Destination rule settings to alert you when a user makes a file in your organization's cloud service environment publicly available via a direct link or shares it with external users.

Rule settings: Destination > Cloud sharing (all)

Tips to customize this rule: Add the Individual users settings to exclude certain users from being monitored by this rule. For example, members of your legal team are working on a case with external counsel, and need to share files with that firm. You can exclude these legal team members from the rule so that this expected activity is filtered out and you do not get notified about their sharing activity.

File extension mismatch exfiltration

This recommended rule uses the File extension mismatch rule setting to alert you when exfiltration activity is detected for any file with an extension that doesn't match its contents. This setting doesn't have any criteria to select or enter: adding it to a rule automatically monitors for files with a mismatch between their extension and contents.

Rule settings: File extension mismatch

Tips to customize this rule: Add the Individual users setting to alert you when a mismatch is detected in file activity generated by specific users. For example, the Risk Exposure dashboard indicates that Filip has moved a large number of files, and further investigation in Forensic Search shows that many of these carry the File Mismatch risk indicator. You add Filip as a user monitored by this rule to better understand why his files show mismatches.

Flight risk

This recommended rule uses the Filename or extension rule settings to alert you when exfiltration activity is detected that involves files with a variation of "resumé" or "cv" in their filenames. This criteria uses the * wildcard along with the words or abbreviations that appear in such filenames to detect activity for a variety of naming conventions and file types.

Rule settings: Filename or extension criteria

  • *resumé*
  • *résumé*
  • *cv*
  • *resume*.do*
  • *resume*.pdf
  • *resume*.txt
  • *resume*.jp*
  • *resume*.odt
  • *resume*.odm

Tips to customize this rule:

  • Add the Individual users settings to the rule, and then add the usernames of anyone identified on the High Risk Employees list as a flight risk. The rule then alerts you when Code42 detects activity generated by any of those users for files that match the "resumé" filename or extension criteria.
  • Use the Destination settings to prevent your organization's cloud storage environment from being monitored by this rule. For example, your organization asks that all employees place a copy of their resumés in a folder on the corporate OneDrive environment due to compliance and auditing regulations. Add the Destination settings to the rule and select any applicable destinations except for the OneDrive option under Cloud sharing. Code42 then does not notify you about this expected activity when a new employee copies their CV to the corporate OneDrive.
  • Ensure that your trusted domains list includes the domain of any website you use for job postings. For example, you want your employees to apply for new internal opportunities as they open up by posting their resumés to the job posting. Make sure that the domain you use for internal and external employment opportunities is listed in your trusted domains list. When an employee applies for an open position by attaching their resumé, Code42 evaluates that domain against your trusted domains and does not alert you about this expected activity to avoid labeling that employee as a flight risk. 


Cloud sync folder exfiltration

This recommended rule uses the Destination rule setting to alert you about files that are moved to personal cloud storage services, such as Apple iCloud or Box. This rule monitors activity in both endpoint folders and users' web browsers to notify you when: 

  • Any file is moved to a folder on the endpoint that is commonly used to sync files with personal cloud storage services
  • Any file is uploaded to a personal cloud storage service using tools within a browser window

 Rule settings: Destination > Cloud storage

  • Amazon Drive
  • iCloud
  • Box
  • Box Drive
  • Dropbox
  • Google Drive
  • Mega
  • OneDrive
  • Zoho

Tips to customize this rule:

  • Use the File categories setting to limit the file activity detected by this rule to only specific groupings of files. For example, your training department commonly uploads video files to various cloud storage providers to post training on external websites or make promotional materials available to advertising partners. Add the File categories settings to the rule but do not select the Video option to prevent Code42 from notifying you about this expected activity.
  • Remove any company-approved personal cloud storage providers from the rule. For example, your company has a "work from anywhere" culture and encourages employees to use Google Drive and Google File Stream to collaborate with colleagues and access files anywhere. To filter this approved activity out of alerts generated by this rule, clear the Google Drive option in the Destination settings.

Removable media exfiltration

The Removable media exfiltration recommended rule uses the Destination rule settings to alert you when any file is moved to removable media (such as an external memory card or USB drive). 

Rule settings: Destination > External devices > Removable media

Tips to customize this rule:

  • Add the Filename or extension setting to alert you only when files with filenames or extensions that match the criteria you enter are moved to removable media. For example, your Accounting department uses "earnings" in the naming convention for financial reports. You can add this filename criteria to the rule to notify you when a user moves one of these reports to removable media.
  • Add the File volume setting to reduce the noise generated by this rule so that it alerts you only when users move files to removable media in total count or size that exceed the thresholds you enter. For example, you could specify that the rule is triggered only when users move 5 or more files or only when users move more than a cumulative total of 100 MB to removable media.
  • Was this article helpful?