Skip to main content

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Code42 Support

Add high risk employees

Who is this article for?

Code42 for EnterpriseSee product plans and features
CrashPlan for Small Business 

CrashPlan for Small Business, no.

Code42 for Enterprise, yes.

Link: Product plans and features.

This article applies to Cloud.

Overview

Use the High Risk Employees application to review the file activity of employees in your company with risk factors and quickly identify anything suspicious. This article explains how to add a user to High Risk Employees and use Alerts to help protect you from data loss that may occur when you have employees that have access to critical data, are on a performance improvement plan, or are actively seeking another job.  

Considerations

Differences in file event counts
File events for Forensic Search and Alerts appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Before you begin

This article assumes that you have enabled Code42 monitoring on your endpoints and cloud services activity. For more information, see:

Step 1: Add employee to the High Risk Employees list

  1. Sign in to the administration console
  2. Click the High Risk Employees application tile on the Risk Exposure dashboard, or go to Detection > High Risk Employees.
  3. Click Add High Risk Employee.
  4. Enter the employee's information: 
    1. Code42 Username: Enter the Code42 username for the employee and click Continue.
    2. (Optional) Add Cloud Alias: If the employee has email aliases other than their Code42 username that they use for cloud services such as Google Drive, OneDrive, or Box, click Add Cloud Alias to add and monitor those aliases.
      If the Code42 username is the same alias used for cloud services, skip this step. The Code42 username is automatically monitored for file activity in your cloud services. 
    3. (Optional) Risk Factors: Select one or more risk factors for this employee.  
    4. (Optional) User Profile Notes: Enter any details for this employee. For example, "Has access to customer PII."
      Note: These notes are visible to team members viewing this user's profile.
  5. Click Add Employee
    The employee is added to the list of high-risk employees and to the default alerts for suspicious file activity.

Step 2: (Optional) Change default alert settings

  1. Go to Detection > High Risk Employees.
  2. Click Alert Settings.
  3. Click Enable alerts for all high risk employees to turn the default alerts on for all employees listed in the High Risk Employees application, if not already enabled. 
  4. Click Manage Rule next to each displayed alert.
    The Edit Rule window opens.
  5. Make any necessary changes and click Save.
Change the list of users monitored by default rules
The default High Risk Employees application rules monitor all users added to the High Risk Employees application for file activity. To stop monitoring specified users with the default rules, click Remove User Remove user icon in the High Risk Employees application.

Step 3: Investigate employee activity

You can investigate suspicious employee activity from either an alert notification email you receive or directly in the administration console using the High Risk Employees application.  

To investigate activity from an alert notification email:

  1. In the notification email, click View Alerts.
  2. Sign in to the administration console. 
    The Alerts application opens to a filtered list.
  3. Review the details of that activity.

To monitor employee activity in the High Risk Employees application: 

  1. Sign in to the administration console. 
  2. Go to Detection > High Risk Employees.
  3. Locate the employee in the list of employees and click View Profile View user profile icon.
    The employee's User Profile page appears and shows any file activity this employee has performed within the last 90 days.

High Risk default alert settings

When a user is added to High Risk Employees, they are automatically added to the default High Risk Employees alerts within Alerts. To see the default alert rules, go to Detection > High Risk Employees > Alert Settings > Manage Rule. These alerts rules are listed below, along with their default settings. 

Exposure on an endpoint 

The Endpoint exposure alert triggers when the total size or number of files moved to removable media, synced to a cloud service, or read by a browser or other app exceeds the defined limit for this alert. 

  • Severity: High
  • Email Notifications: The default recipient is the person that added the first employee to the High Risk Employees application. This can be changed at any time.
  • Exposure Type:
    • Read by browser or other app
    • Moved to removable media
    • Moved to cloud sync folders for Box, Box Drive, Dropbox, Google Backup and Sync, Apple iCloud, Microsoft OneDrive
  • File Size & Count: 500 MB or greater OR 20 files or higher
  • Time Frame of Events: Within 15 minutes
  • File Categories: Any file category

Cloud share permission changes

The Cloud share permission changes alert triggers when the total size or number of files that changed to be publicly accessible exceeds the defined limit for this alert. 

  • Severity: High
  • Email Notifications: The default recipient is the person that added the first employee to the High Risk Employees application. This can be changed at any time. 
  • Permissions Changed:
    • Box - Public via direct link
    • Google Drive - Public via Direct Link, Public on the web (Google Drive only)
    • Microsoft OneDrive - Public via direct link
  • File Categories: Any file category
High Risk Employees default alerts versus custom alerts
In Alerts, you can create custom alerts to monitor file activity in your environment. However, users added to High Risk Employees only trigger default High Risk Employees alerts. To manage both custom alerts and default High Risk Employees alerts, go to Alerts

For more information about how to change the High Risk Employees default alert settings, see Change default alert settings.
  • Was this article helpful?