Add departing employees

Overview

Use Departing Employees in Code42 to review the file activity of employees leaving your company and quickly identify anything suspicious. This article explains how to add a user to Departing Employees and use Alerts to help protect you from data loss that may occur when an employee leaves your company.  

Considerations

• You must have either the Customer Cloud Admin or Security Center User role to access Departing Employees and Alerts.
• To see activity on for a departing employee, you must enable Forensic File Search. Contact your Customer Success Manager (CSM) for assistance with licensing. If you don't know who your CSM is, email csmsupport@code42.com. 

Before you begin

This article assumes that you have enabled Code42 monitoring on your endpoints and cloud services activity. For more information, see:

• Enable endpoint monitoring for file exfiltration detection
• Introduction to adding data sources for Forensic File Search 

Step 1: Add employee to Departing Employees list

1. Sign in to the administration console. 
2. Click the Departing Employees application tile on the Risk Exposure dashboard, or go to Detection > Departing Employees.
3. Click Add Departing Employee.
4. Enter the departing employee's information: 
   1. Code42 Username: Enter the Code42 username for the employee. 
   2. Add Cloud Alias: If the employee has email aliases other than their Code42 username that they use for cloud services such as Google Drive, OneDrive, or Box, click Add Cloud Alias to add and monitor those aliases.
      If the Code42 username is the same alias used for cloud services, skip this step. The Code42 username is automatically monitored for file activity in your cloud services. 
   3. (Optional) Departure Date: Enter the date the employee is leaving your company. 
   4. (Optional) Notes: Enter any details for this departing employee, for example, "Has accepted another job offer at a competitor". 
5. Click Add Employee. 
   The employee is added to the list of departing employees and to the default alerts for suspicious file activity.

Step 2: (Optional) Change default alert settings

1. Go to Detection > Departing Employees.
2. Click Alert Settings.
3. Click Enable alerts for all departing employees to turn the default alerts on for all employees listed in the Departing Employees application, if not already enabled. 
4. Click Manage Rule next to each displayed alert.
   The Edit Rule dialog opens.
5. Make any necessary changes and click Save.

Step 3: Investigate employee activity

You can investigate suspicious activity by a departing employee from either an alert notification email you receive, or from Departing Employees in the administration console directly.  

To investigate activity from an alert notification email:

1. In the notification email, click View Alerts.
2. Sign in to the administration console. 
   The Alerts application opens to a filtered list.
3. Review the details of that activity.

To monitor employee activity in the Departing Employees application: 

1. Sign in to the administration console. 
2. Go to Detection > Departing Employees.
3. Locate the employee in the list of departing employees and click View User Profile .
   The employee's User Profile page appears and shows any file activity performed by this employee within the last 90 days.

Departing Employees default alert settings

When a user is added to Departing Employees, they are automatically added to the default Departing Employees alerts within Alerts. These default alerts are listed below, along with their default settings. 

Related topics

• Prepare for departing employees 
• Departing Employees reference 
• Alerts reference
• Create and manage alerts
• Best practices for protecting data when employees leave 
• Risk Exposure reference