Skip to main content

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional and Enterprise
Incydr Basic and Advanced
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Review Alerts reference

Overview

Code42 Alerts let you know when important data may be leaving your company. Use the Review Alerts table to view or dismiss alert notifications, add notes to a notification, and select the status of any associated investigation.

This article is a reference guide with detailed descriptions of the notifications in the Review Alerts table. Use the Manage Rules table to view or update the different alert rules you have in your Code42 environment that trigger these notifications. For information about alert rules and their components, see Manage Rules reference. For information on creating and configuring alert rules, see Create and manage alert rules.

Considerations

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Roles for Incydr. To learn which permissions on Incydr roles allow use of this functionality, see Permissions for Incydr. If you use other Code42 products, see Role assignment use cases.

  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan. If you do not know your CSM, please contact our Customer Champions.

  • You must connect at least one cloud service to Code42 to see cloud-related file activity. 

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Review Alerts

Alert notifications are listed in the Review Alerts table when activity matching the settings defined in alert rules is detected. To view the table, in the Code42 console select Alerts > Review Alerts.

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains, Slack workspaces, and cloud destinations you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you are not notified by alert rules for trusted events. 
Risk severities replace alert High/Medium/Low severities
Risk severities represent how risky file activity may be based on the risk score Code42 calculates for file events. These risk scores are calculated using the risk settings assigned to various types of activity. You can view risk severities in multiple places across Incydr, such as on the Risk Exposure dashboard, in Forensic Search, on user profiles, and also within Alerts.

To better help you identify risky activity, these risk severities replace the High, Medium, and Low alert severities that appeared only in Alerts. You may have used these alert severities within Alerts to prioritize and filter rules and notifications.

Review Alerts list

Item Description
a Trust settings

Indicates trust settings are applied to this page, which filters your view to only show the riskiest activity. Click to learn more and to view your trust settings.


Code42 excludes trusted file activity from appearing on dashboards, detection lists, user profiles, and alerts. Trusted activity is the file activity that occurs on your trusted domains and IP addresses as well as your approved cloud destinations.

b Risk settings

Click to open Risk settings, from which you can set the score of each risk indicator. Scores are used to calculate the severity of each file event. For more information, see the Risk settings reference.
 

To edit risk settings, you must have the Customer Cloud Admin, Insider Risk Admin, or Insider Risk Analyst role. Users with the Insider Risk Read Only role can view risk settings, but not make changes.

c Filter Filters the Review Alerts list by the criteria you select. For more information, see Filter alerts below.
d Filtered by The filters that are currently applied to the Review Alerts list. Click the X to remove that filter. Remove all filters to view all alerts.
e Select all

Selects all alerts and presents an action button (Dismiss alerts or Reopen alerts). Click the button to perform that action on all selected alerts at once.

 

You cannot add notes when you use select all.

f Risk severity

The risk severity associated with the event, based on its risk indicators. Risk severities are based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

For more information about risk indicators, see Risk settings reference.

g Rule name Name entered for the rule that generated the alert.
h Alert generated Date and time the alert was generated.
i Column sort Sort column icon Click the column header to sort results by this column in ascending or descending order. 
j Username/Actor The Code42 username or the cloud alias associated with the file events that generated the alert.
k Status

The status of the alert: Open, In progress, Pending response, and Dismissed.

 

Statuses indicate the alert's current state and identify any specific stages of an investigation into that notification.

l Dismiss Dismiss notification icon or Reopen alert Reopen notification icon

Opens a menu to dismiss or reopen the current alert. You can also choose to add a note to the alert before you dismiss or reopen it.

  • Select Dismiss or Dismiss with note to remove this individual alert from the list of open alerts. This also dismisses the notification for any teammates. To stop all alerts for this specific activity, click Manage Rules and disable the alert rule.
  • Select Reopen or Reopen with note to add this alert back to the list of open alerts on the Review Alerts tab.
m View detail View detail icon Click to view alert details for this notification. Includes file event information, file count and size, and file categories involved in the event.
n Default alert indicator Identifies alert notifications generated by default alert rules from the Departing Employees list or High Risk Employees list.
o Rows per page Select the number of alerts to display on each page.
p Pagination Click the right and left arrows to scroll through pages of alerts.

Filter alerts

To filter the alerts listed on Review Alerts, click Filter and select the criteria to use. When you click Apply, alerts that match all filters appear in the list.

Any filters that are applied are shown above the Review Alerts list. Click the X on a filter to remove that filter. 

Filter alert notifications

Item Description
a Status

Filters the list by status:

  • Open: Alerts that have not yet been investigated.
  • In progress: Alerts for which an investigation is underway.
  • Pending response: Alerts for which a response is forthcoming.
  • Dismissed: Alerts that have been closed.
  • Any: Alerts with any of these statuses.
b Date range Filters the list by the selected date range: alerts triggered in the last 24 hours, 7 days, 30 days, or select Custom and enter the start and end dates to use to filter alerts. You can also select All dates to view all alerts that have been triggered.
c Risk severity

Filters the list by risk severity: shows alerts with Critical, High, Moderate, or Low risk scores, or alerts with any risk severity. 

Risk severities are based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

For more information about risk indicators, see Risk settings reference.

d Username or actor

Filters the list to show only file events associated with a specific Code42 username or cloud alias (actor).

e Rule name Filters the list to show only alerts associated with a specific rule name.
f Cancel / Apply Click Apply to apply the selected filter criteria to the list and display only the alerts that match that criteria. To return to the list without applying any filters, click Cancel.

Alert details

For any alert listed on Review Alerts, click View detail View details icon to see more information about the alert notification.

Alert details vary depending on the type of activity that triggered the alert. Specific alerts may display different details than those shown in the example below.

The Alert details is divided into several sections:

  • Actions that you can take on the alert (such as investigating it in Forensic Search or emailing the user about the questionable activity) appear at the top.
  • The Overview lists general information about the alert, such as the rule and user that generated the alert, a summary of the activity that generated the alert, the timeframe in which the activity occurred, and the number of files involved in the endpoint or cloud activity.
  • The Cloud events and Endpoint events sections identify the specific files involved in the activity, and describe the type of activity either in your organization's cloud environment (such as Box or OneDrive) or on a user's endpoint that generated the alert and its associated risk score. If the activity involved both types of destinations, both sections are listed in the details. Otherwise, only the destination involved in the activity appears.

Alert details

Item Description
a Alert ID The unique identifier for the alert notification. Click Copy Link   to copy the link to the alert notification in the Code42 console so that you can share it with others for further investigation.
b Investigate in Forensic Search

Click to view these file events in Forensic Search.

If both endpoint and cloud destinations are involved in the activity that generated the alert, select the type of activity you want to view in Forensic Search from the menu that appears:

  • Investigate cloud sharing events
  • Investigate endpoint exposure events
c Send email Click to open an email template requesting more information from the user about this activity. You can customize the template as needed before sending it to the user.
d Dismiss alert or Reopen alert

For an open alert, click to remove this individual alert notification from the list of open alerts. This dismisses the notification for any teammates.

 

For an alert that has been dismissed, click to reopen this individual alert notification and return it to the list of open alerts.

e Rule name

The name of the rule that generated the alert.

 

Either the description entered for the rule or a brief description of the rule settings that triggered the alert is listed under the rule name for your reference.

 

Click View rule Edit icon to view and edit the rule that triggered this alert.

f Status

The status of the alert: Open, In progress, Pending response, and Dismissed.

 

Statuses provide more context about what's happening with an alert or record specific stages of an alert's investigation.

 

Code42 automatically saves and displays the user name of the last person to update the alert's status, along with the date and time the status was changed.

g Notes

Any notes that have been entered for the alert.

  • Click Add note to add a note to the alert, then enter the note and click Save.
  • To edit an existing note, click Edit Notes Edit icon, then update the note and click Save. You can also delete a note entirely by deleting the note's text and clicking Save. Code42 automatically saves and displays the username of the last person to edit the note, along with the date and time it was edited.
  • The Notes panel displays only a few lines of the note by default. To view long notes, click Expand note. Click Collapse note when you finish to display the rest of the alert details.
h Risk severity

The risk severity associated with the event, based on its risk indicators. Risk severities are based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

For more information about risk indicators, see Risk settings reference.

i Risk summary A brief summary of the risk indicators that contributed to the event's risk severity. For more information, see Risk settings reference
j Username or Actor

The Code42 username or the cloud alias associated with the file events that triggered the alert. If the user is included on either the Departing Employees list or High Risk Employees list, that indicator appears for reference.

 

View profile View profile appears when either:

  • A Code42 username is associated with the event.
  • The actor's cloud alias is associated with a Code42 username in the User Profile.

Click to view the User Profile for that user.
View profile appears only when allowed by your Code42 product plan and role permissions.

k Time range of events

Displays the time period in which the file activity occurred.

  • The time frame starts when the file activity begins. 
  • An alert is sent five minutes after the activity monitored by the rule is exceeded. This five-minute delay reduces alert "noise," since users can move a lot of data in a few quick clicks. For example, an employee starts moving files at 10:42 a.m. and exceeds the rule's settings at 10:55 a.m. An alert is sent to you five minutes later at 11:00 a.m. with combined totals for everything that was moved between 10:42 a.m. and 11:00 a.m.
l File total The total number and size of files involved in the suspected exposure. 
m Endpoint IP addresses

The public IP address of the endpoint involved in the file activity. If the IP address was not collected, this row does not appear.

 

Remote activity highlights file activity by IP addresses that are not listed as an in-network IP address in Administration > Environment > Data Preferences.

 

Endpoint IP addresses are listed only for endpoint events.

--

Cloud sharing

 

(not shown in example)

The domains (such as "example.com") and email addresses (such as "first.lastname@example.com") that a file has been shared with that are outside of the domains you trust

 

Cloud sharing details are listed only for cloud events.

 

Microsoft OneDrive does not provide email addresses to Code42. Therefore, email addresses that are outside of the domains you trust cannot be listed here for files shared in OneDrive.

 

Only the first 10 email addresses are listed. Investigate in Forensic Search to view other email addresses the file has been shared with that are outside trusted domains.

--

Cloud events Filename/Details

 

(not shown in example)

The filename involved in the cloud activity, along with details about the risk indicators that contributed to its risk severity and risk score.

 

Click Investigate in Forensic Search  to view these files in Forensic Search.

 

Risk severities are based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

When available, additional details about the event (such as the URL and active tab title involved in the activity, or the email addresses the file was shared with) are listed. For more information about the details displayed here, see Forensic Search reference guide.

n Endpoint events Filename/Details

The filename involved in the activity on the endpoint, along with details about the risk indicators that contributed to its risk severity and risk score.

 

Click Investigate in Forensic Search  to view these files in Forensic Search.

 

Risk severities are based on the following scoring ranges:

  • Critical severity icon 9+: Critical
  • High severity icon 7-8: High
  • Moderate severity icon 4-6: Moderate
  • Low severity icon 1-3: Low
  • no risk indicates icon 0: No risk indicated

When available, additional details about the event (such as the vendor of the removable media to which files were moved, the file location on the endpoint, or the username signed into the device) are listed. For more information about the details displayed here, see Forensic Search reference guide.

o View events in Forensic Search

Click to see these files in Forensic Search.

If both endpoint and cloud destinations are involved in the activity that generated the alert, this link appears at the bottom of each section to open those file events in Forensic Search.

  • Was this article helpful?