Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Review Alerts reference

Overview

Code42 Alerts let you know when important data may be leaving your company. Use the Review Alerts table to view or dismiss alert notifications, add notes to a notification, and select the status of any associated investigation.

This article is a reference guide with detailed descriptions of the notifications in the Review Alerts table. Use the Manage Rules table to view or update the different alert rules you have in your Code42 environment that trigger these notifications. For information about alert rules and their components, see Manage Rules reference. For information on creating and configuring alert rules, see Create and manage alert rules.

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Roles for Incydr. To learn which permissions on Incydr roles allow use of this functionality, see Permissions for Incydr. If you use other Code42 products, see Role assignment use cases.

  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial​​​. If you don't know who your CSM is, email csmsupport@code42.com

  • You must connect at least one cloud service to Code42 to see cloud-related file activity. 

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Video

Watch the video below to learn how to review alerts. For more videos, visit the Code42 University.

Review Alerts

Alert notifications are listed in the Review Alerts table when activity matching the settings defined in alert rules is detected. To view the table, select Alerts > Review Alerts.

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you will not be notified by alert rules when file events occur on domains you trust. Go to Settings > Data Preferences to update trusted domains settings as needed.

Review Alerts table

Item Description
a Filter Filter icon Filters the Review Alerts list by the criteria you select. For more information, see Filter alerts below.
b Filtered by The filters that are currently applied to the Review Alerts list. Click the X to remove that filter. Remove all filters to view all alerts.
c Select all

Selects all alerts and presents an action button (Dismiss alerts or Reopen alerts). Click the button to perform that action on all selected alerts at once.

 

You cannot add notes when you use select all.

d Severity Severity associated with the rule that generated the alert: Low, Medium, or High.
e Rule name Name entered for the rule that generated the alert.
f Alert generated Date and time the alert was generated.
g Column sort Sort column icon Click the column header to sort results by this column in ascending or descending order. 
h Username/Actor The Code42 username or the cloud alias associated with the file events that generated the alert.
i Status

The status of the alert: Open, In progress, Pending response, and Dismissed.

 

Statuses indicate the alert's current state and identify any specific stages of an investigation into that notification.

j Dismiss Dismiss notification icon or Reopen alert Reopen notification icon

Opens a menu to dismiss or reopen the current alert. You can also choose to add a note to the alert before you dismiss or reopen it.

  • Select Dismiss or Dismiss with note to remove this individual alert from the list of open alerts. This also dismisses the notification for any teammates. To stop all alerts for this specific activity, click Manage Rules and disable the alert rule.
  • Select Reopen or Reopen with note to add this alert back to the list of open alerts on the Review Alerts tab.
k View detail View detail icon Click to view alert details for this notification. Includes file event information, file count and size, and file categories involved in the event.
l Default alert indicator Identifies default alerts from the Departing Employees list or High Risk Employees list.
m Rows per page Select the number of alerts to display on each page.
n Pagination Click the right and left arrows to scroll through pages of alerts.

Filter alerts

To filter the alerts listed on Review Alerts, click Filter Filter icon and select the criteria to use. When you click Apply, alerts that match all filters appear in the list.

Any filters that are applied are shown above the Review Alerts list. Click the X on a filter to remove that filter. 

Filter alert notifications

Item Description
a Status

Filters the list by status:

  • Open: Alerts that have not yet been investigated.
  • In progress: Alerts for which an investigation is underway.
  • Pending response: Alerts for which a response is forthcoming.
  • Dismissed: Alerts that have been closed.
  • Any: Alerts with any of these statuses.
b Date range Filters the list by the selected date range: alerts triggered in the last 24 hours, 7 days, 30 days, or select Custom and enter the start and end dates to use to filter alerts. You can also select All dates to view all alerts that have been triggered.
c Severity Filters the list by severity: High, Medium, Low, or alerts with any severity.
d Username or actor

Filters the list to show only file events associated with a specific Code42 username or cloud alias (actor).

e Rule name Filters the list to show only alerts associated with a specific rule name.
f Cancel / Apply Click Apply to apply the selected filter criteria to the list and display only the alerts that match that criteria. To return to the list without applying any filters, click Cancel.

Alert details

For any alert listed on Review Alerts, click View detail View details icon to see more information about the alert notification.

Alert details vary depending on the type of activity that triggered the alert. Specific alerts may display different details than those shown in the example below.

The Alert details is divided into several sections:

  • Basic details about the rule that generated the alert (such as name, severity, and description) appear at the top.
  • The Overview identifies the user whose activity generated the alert, the timeframe in which the activity occurred, and the number and type of files involved.
  • The Endpoint exposure and Cloud sharing sections describe the type of activity on either a user's endpoint or in your organization's cloud environment (such as Box or OneDrive) that generated the alert, followed by details about the specific files involved. If the activity involved both types of destinations, both sections are listed in the details. Otherwise, only the destination involved in the activity appears.

Alert details

Item Description
a Rule name

The name of the rule that generated the alert. If the alert was generated by a default rule from the Departing Employees list or High Risk Employees list, the indicator identifies it as such.

 

Click the View rule link to view and edit the rule that triggered this alert.

b Severity The severity of the rule that generated the alert.
c Description

The description of the rule that generated the alert.

d Status

The status of the alert: Open, In progress, Pending response, and Dismissed.

 

Statuses provide more context about what's happening with an alert or record specific stages of an alert's investigation.

 

Code42 automatically saves and displays the user name of the last person to update the alert's status, along with the date and time the status was changed.

e Notes

Any notes that have been entered for the alert.

  • Click Add note to add a note to the alert, then enter the note and click Save.
  • To edit an existing note, click Edit Edit icon, then update the note and click Save. You can also delete a note entirely by deleting the note's text and clicking Save. Code42 automatically saves and displays the username of the last person to edit the note, along with the date and time it was edited.
  • The Notes panel displays only a few lines of the note by default. To view long notes, click Expand note. Click Collapse note when you finish to display the rest of the alert details.
f Username or Actor

The Code42 username or the cloud alias associated with the file events that triggered the alert.

 

The View profile link appears when either:

  • A Code42 username is associated with the event
  • The actor's cloud alias is associated with a Code42 username in the User Profile

Click the link to view the User Profile for that user.
This link appears only when allowed by your Code42 product plan and role permissions.

 

Click Send email to compose an email to the user requesting more information about this activity. You can customize the email as needed before sending it.

g Time range of events

Displays the time period in which the file activity occurred.

  • The time frame starts when the file activity begins. 
  • An alert is sent five minutes after the activity monitored by the rule is exceeded. This five-minute delay reduces alert "noise," since users can move a lot of data in a few quick clicks. For example, an employee starts moving files at 10:42 a.m. and exceeds the rule's settings at 10:55 a.m. An alert is sent to you five minutes later at 11:00 a.m. with combined totals for everything that was moved between 10:42 a.m. and 11:00 a.m.
h Number of files The total number of files involved in the suspected exposure. 
i Total file size The combined file size for the files involved in the suspected exposure.
j File categories The file categories of the files identified by this alert (for example:  Spreadsheet, Zip files).
k

IP address

The public IP address involved in the file activity. If the IP address was not collected, this row does not appear.

 

Remote activity highlights file activity by IP addresses that are not listed as an in-network IP address in Administration > Settings > Data Preferences.

l

Exposure type 

 

 

The type of file activity on an endpoint that triggered the alert:

  • Read by browser or other app
  • Activity on removable media
  • Moved to cloud sync folders
    When available, the username signed in to the cloud sync application is also listed.
m

Browser or app details

The destination category, application name, and tab name and URL to which the file was uploaded (when available) for "Read by browser or other app" events.

 

Only the first 10 destination categories, app names, tab names and URLs are listed. Investigate in Forensic Search to view any other browser activity that generated the alert.

n File events

The filename and path of the file that generated the alert.

 

Only the first 10 files are listed. Investigate in Forensic Search to view any other files that generated the alert.

File extension mismatch*

 

*Not shown in image

If activity was detected for files with contents that don't seem to match their extensions, the filename and path of those files are listed here. Code42 also identifies the file's former and current extensions.
 

Cloud service*

 

*Not shown in image

The name of the cloud service in which sharing permission changes were detected.
 

Permission changed to*  

 

*Not shown in image

Indicates the change by which a file stored in a cloud service is shared publicly via a direct link or with users outside your trusted domains: 

  • Public on the web (Google Drive only)
  • Public via direct link
    The method used to share the file appears within the cloud service as follows:
    • Microsoft OneDrive: "Anyone with the link"
    • Google Drive: "Anyone with the link"
    • Box: "People with the link"
  • Shared outside trusted domain
    The domains and email addresses with which the file was shared are listed under Shared with.
 

Shared with*

 

*Not shown in image

The domains (such as "example.com") and email addresses (such as "first.lastname@example.com") the file has been shared with that are outside of the domains you trust.

 

Microsoft OneDrive does not provide email addresses to Code42. Therefore, email addresses that are outside of the domains you trust cannot be listed here for files shared in OneDrive.

 

Only the first 10 email addresses are listed. Investigate in Forensic Search to view other email addresses the file has been shared with that are outside trusted domains.

o Dismiss alert or Reopen alert

For an open alert, click to remove this individual alert notification from the list of open alerts. This dismisses the notification for any teammates.

 

For an alert that has been dismissed, click to reopen this individual alert notification and return it to the list of open alerts.

p Investigate in Forensic Search

Click to see these files in Forensic Search.

If both endpoint and cloud destinations are involved in the activity that generated the alert, select the type of activity you want to view in Forensic Search from the menu that appears:

  • Investigate cloud sharing events
  • Investigate endpoint exposure events
  • Was this article helpful?