Skip to main content
Contact Support

Who is this article for?
Find your product plan in the Code42 console on the Account menu.

Incydr Professional, Enterprise, and Gov F2
Incydr Basic, Advanced, and Gov F1
CrashPlan Cloud
CrashPlan for Small Business
Other product plans

Incydr Professional and Enterprise, yes.

Incydr Basic and Advanced, yes.

CrashPlan Cloud, no.

Other product plans, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Add departing employees

  1. Last updated
  2. Save as PDF

Overview

Use the Code42 Departing Employees list to review the file activity of employees leaving your company and quickly identify anything suspicious. This article explains how to add a user to Departing Employees and use Alerts to help protect you from data loss that may occur when an employee leaves your company.  

Considerations

  • Add trusted activity and data connections to focus your investigations on higher-risk file activity. Adding trust settings reduces noise by only showing untrusted file events in Incydr security event dashboards, user profiles, and alerts. All file activity is still visible in Forensic Search.

  • This functionality is available only if your product plan includes Risk Detection lenses. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to an Incydr product plan for a free trial​​​. If you do not know your CSM, please contact our Customer Champions.

  • To use this functionality, Incydr users must be assigned specific roles. For more information, see Permissions for Incydr

Differences in file event counts
File events for Forensic Search and Alerts typically appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Before you begin

This article assumes that you have enabled Code42 monitoring on your endpoints and cloud services activity. For more information, see:

Step 1: Add an employee to the Departing Employees list

With the Code42 console

  1. Sign in to the Code42 console
  2. From the Departing Employees tile on the Risk Exposure dashboard click Add employee to list Add user to list, or go to User Activity > Departing Employees and click Add to list
  3. Enter the departing employee's information: 
    1. Code42 username: Enter the Code42 username for the employee and click Continue.
    2. (Optional) Cloud alias: If the employee has an email alias other than their Code42 username that they use for cloud services such as Google Drive, OneDrive, or Box, click Add Cloud Alias to add and monitor the alias.
      If the Code42 username is the same alias used for cloud services, skip this step. The Code42 username is automatically monitored for file activity in your cloud services. Only one additional alias can be monitored.
    3. (Optional) Departure date: Enter the employee's last day at your company. 
    4. (Optional) Notes: Enter any details for this departing employee, for example, "Has accepted another job offer at a competitor". These notes are visible to team members viewing this user's profile.
  4. Click Add employee
    The employee is added to the list of departing employees and to the default alerts for suspicious file activity.

With the Code42 CLI

To add multiple departing employees at once, you can use the Code42 command-line interface. For more information, see the CLI documentation.

With Incydr Flows

Using Incydr Flows, you can automatically add users to the Departing Employees list based on updates to information in your human resources system, such as Workday or ADP. For more information about Incydr Flows, see Configure Incydr Flows.

Step 2: (Optional) Change default alert settings

  1. Go to User Activity > Departing Employees.
  2. Click Alert settings.
  3. Click View rule for the corresponding alert. 
    The details and criteria for that alert opens in Alerts.
  4. Edit the alert rule to update its settings.
    • To change the name, description or severity, click the Actions menu Actions menu and select Edit name & description, then make your changes and click Save.
    • To change the criteria, click Edit Edit icon, then make your changes and click Save.
    • To add a new setting to the rule, click Add setting.
  5. Close the details to return to Manage Rules.
Change the list of users monitored by default rules
The default Departing Employees list rules monitor all users added to the Departing Employees list for file activity. To stop monitoring specified users with the default rules, remove the user from the Departing Employees list.

Step 3: Investigate employee activity

You can investigate suspicious activity by a departing employee from either an alert notification email you receive, or from the Departing Employees list in the Code42 console directly.  

To investigate activity from an alert notification email:

  1. In the notification email, click View Alerts.
  2. Sign in to the Code42 console. 
    The Alerts application opens to a filtered list.
  3. Review the details of that activity.

To monitor employee activity in the Departing Employees list: 

  1. Sign in to the Code42 console. 
  2. Go to User Activity > Departing Employees.
  3. Locate the employee in the list of departing employees, click the Actions menu Actions menu, and select View profile.
    The employee's User Profile page appears and shows recent file activity performed by this employee.

Departing Employees default alert settings

When a user is added to the Departing Employees list, they are automatically added to the default Departing Employees alerts within Alerts. These default alerts are listed below, along with their default settings. 

Endpoint exposure 

The Endpoint exposure alert triggers when the total size or number of files moved to removable media, synced to a cloud service, read by a browser or other app, or sent to an untrusted cloud destination exceeds the defined limit for this alert. 

  • Severity: High
  • Email Notifications: The default recipient is the person that added the first employee to the Departing Employees or High Risk Employees list. This can be changed at any time.
  • Exposure Type:
    • Read by browser or other app
    • Moved to removable media
    • Moved to cloud sync folders for Box, Box Drive, Dropbox, Apple iCloud, Microsoft OneDrive
  • Time Frame of Events: Within 15 minutes
  • File Size & Count: 500 MB or greater OR 20 or higher
  • File Categories: Any file category

Cloud share permission changes

The Cloud share permission changes alert triggers when the total size or number of files that were shared publicly via a direct link or with users outside your trusted domains exceeds the defined threshold for this alert. 

  • Severity: High
  • Email Notifications: The default recipient is the person that added the first employee to the Departing Employees or High Risk Employees list. This can be changed at any time. 
  • Permissions Changed:
    • Box - Public via direct link, Shared outside trusted domains
    • Google Drive - Public on the web (Google Drive only), Public via Direct Link, Shared outside trusted domains
    • Microsoft OneDrive - Public via direct link, Shared outside trusted domains
  • File Categories: Any file category
Departing Employees default alerts versus custom alerts
In Alerts, you can create custom alerts to monitor the file activity of any user in your environment.

In addition to custom alerts, users on the Departing Employees list are also automatically added to the default Departing Employees alerts. To manage both custom alerts and default Departing Employees alerts, go to Alerts

For more information about how to change the Departing Employees default alert settings, see Change default alert settings.

Remove an employee from the Departing Employees list

  1. Go to User Activity > Departing Employees.
  2. Locate the user in the list of departing employees, click the Actions menu Actions menu, and select Remove user.
  3. In the confirmation message that appears, click Remove employee.
    The employee is removed from the Departing Employees list.
  1. Back to top
  • Was this article helpful?

Recommended articles

  1. Article type
    How-to
    Available in CrashPlan Cloud
    No
    Available in other product plans
    Yes
    Available in Incydr Basic and Advanced
    Yes
    Available in Incydr Pro and Enterprise
    Yes
    Available in CrashPlan for Small Business
    No
  2. Tags
    1. alerts
    2. insider threat
    3. lens