Add departing employees

Overview

Use the Code42 Departing Employees list to review the file activity of employees leaving your company and quickly identify anything suspicious. This article explains how to add a user to Departing Employees and use Alerts to help protect you from data loss that may occur when an employee leaves your company.

Video

Watch the short video below to learn how to use the Departing Employees list. For more videos, visit the Code42 University.

Considerations

Add Trusted Domains in Data Preferences to hide file events that occur on domains you trust. Adding trusted domains helps focus your investigation on file activity that may be a higher risk. File activity on a specific domain is only considered trusted starting the date the domain was added. You can view all file activity, including events that occur on your trusted domains, in Forensic Search.
This functionality is available only if your product plan includes Risk Detection lenses. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial. If you don't know who your CSM is, email csmsupport@code42.com.

To add departing employees, you must have roles that provide the necessary permissions.

Before you begin

This article assumes that you have enabled Code42 monitoring on your endpoints and cloud services activity. For more information, see:

Step 1: Add employee to the Departing Employees list

Sign in to the Code42 console.
From the Departing Employees tile on the Risk Exposure dashboard, click Add Departing Employee, or go to Detection > Departing Employees.
Click Add Departing Employee.
Enter the departing employee's information:
1. Code42 Username: Enter the Code42 username for the employee and click Continue.
2. (Optional) Add Cloud Alias: If the employee has an email alias other than their Code42 username that they use for cloud services such as Google Drive, OneDrive, or Box, click Add Cloud Alias to add and monitor the alias.
  If the Code42 username is the same alias used for cloud services, skip this step. The Code42 username is automatically monitored for file activity in your cloud services. Only one additional alias can be monitored.
3. (Optional) Departure Date: Enter the date the employee is leaving your company.
4. (Optional) User Profile Notes: Enter any details for this departing employee, for example, "Has accepted another job offer at a competitor".
  Note: These notes are visible to team members viewing this user's profile.
Click Add Employee.
The employee is added to the list of departing employees and to the default alerts for suspicious file activity.

Add multiple departing employees with the Code42 CLI
To add multiple departing employees at once, you can use the Code42 command-line interface. For more information, see the CLI documentation.

Step 2: (Optional) Change default alert settings

Go to Detection > Departing Employees.
Click Alert Settings.
Click Enable alerts for all departing employees to turn the default alerts on for all employees listed in the Departing Employees list, if not already enabled.
Click Manage Rule for the corresponding alert.
The details and criteria for that alert opens in Alerts.
Edit the alert rule to update its settings.
- To change the name, description or severity, click Actions and select Edit name & description, then make your changes and click Save.
- To change the criteria, click Edit in the appropriate panel, then make your changes and click Save.
Close the details to return to the Manage Rules table in Alerts.

Change the list of users monitored by default rules
The default Departing Employees list rules monitor all users added to the Departing Employees list for file activity. To stop monitoring specified users with the default rules, remove the user from the Departing Employees list.

Step 3: Investigate employee activity

You can investigate suspicious activity by a departing employee from either an alert notification email you receive, or from the Departing Employees list in the Code42 console directly.

To investigate activity from an alert notification email:

In the notification email, click View Alerts.
Sign in to the Code42 console.
The Alerts application opens to a filtered list.
Review the details of that activity.

To monitor employee activity in the Departing Employees list:

Sign in to the Code42 console.
Go to Detection > Departing Employees.
Locate the employee in the list of departing employees and click View profile .
The employee's User Profile page appears and shows any file activity performed by this employee within the last 90 days.

Departing Employees default alert settings

When a user is added to the Departing Employees list, they are automatically added to the default Departing Employees alerts within Alerts. These default alerts are listed below, along with their default settings.

Endpoint exposure

The Endpoint exposure alert triggers when the total size or number of files moved to removable media, synced to a cloud service, or read by a browser or other app exceeds the defined limit for this alert.

Severity: High
Email Notifications: The default recipient is the person that added the first employee to the Departing Employees or High Risk Employees list. This can be changed at any time.
Exposure Type:
- Read by browser or other app
- Moved to removable media
- Moved to cloud sync folders for Box, Box Drive, Dropbox, Google Backup and Sync, Apple iCloud, Microsoft OneDrive
Time Frame of Events: Within 15 minutes
File Size & Count: 500 MB or greater OR 20 or higher
File Categories: Any file category

Cloud share permission changes

The Cloud share permission changes alert triggers when the total size or number of files that became publicly available exceeds the defined threshold for this alert.

Severity: High
Email Notifications: The default recipient is the person that added the first employee to the Departing Employees or High Risk Employees list. This can be changed at any time.
Permissions Changed:
- Box - Public via direct link, Shared outside trusted domains
- Google Drive - Public on the web (Google Drive only), Public via Direct Link, Shared outside trusted domains
- Microsoft OneDrive - Public via direct link, Shared outside trusted domains
File Categories: Any file category

Departing Employees default alerts versus custom alerts
In Alerts, you can create custom alerts to monitor file activity in your environment. However, users added to the Departing Employees list only trigger default Departing Employees alerts. To manage both custom alerts and default Departing Employees alerts, go to Alerts.

For more information about how to change the Departing Employees default alert settings, see Change default alert settings.