Add high risk employees
Overview
Use the High Risk Employees list to review the file activity of employees in your company with risk factors and quickly identify anything suspicious. This article explains how to add a user to the High Risk Employees list and use Alerts to help protect you from data loss that may occur when you have employees that have access to critical data, are on a performance improvement plan, or are actively seeking another job.
Video
Watch the short video below to learn how to add users to the High Risk Employees list. For more videos, see the Code42 University.
Considerations
- To add high risk employees, you must have roles that provide the necessary permissions.
Before you begin
This article assumes that you have enabled Code42 monitoring on your endpoints and cloud services activity. For more information, see:
Step 1: Add employee to the High Risk Employees list
- Sign in to the Code42 console.
- Click the High Risk Employees tile on the Risk Exposure dashboard, or go to User Activity > High Risk Employees.
- Click Add high risk employee.
- Enter the employee's information:
- Code42 username: Enter the Code42 username for the employee and click Continue.
- (Optional) Add cloud alias: If the employee has an email alias other than their Code42 username that they use for cloud services such as Google Drive, OneDrive, or Box, click Add cloud alias to add and monitor the alias.
If the Code42 username is the same alias used for cloud services, skip this step. The Code42 username is automatically monitored for file activity in your cloud services. Only one additional alias can be monitored. - (Optional) Risk factors: Select one or more risk factors for this employee.
- (Optional) User profile notes: Enter any details for this employee. For example, "Has access to customer PII."
Note: These notes are visible to team members viewing this user's profile.
- Click Add employee.
The employee is added to the list of high risk employees and to the default alerts for suspicious file activity.
To add multiple high risk employees at once, you can use the Code42 command-line interface. For more information, see the CLI documentation.
Step 2: (Optional) Change default alert settings
- Go to User Activity > High Risk Employees.
- Click Alert settings.
- Click Enable alerts for all high risk employees to turn the default alerts on for all employees listed in High Risk Employees, if not already enabled.
- Click Manage rule for the corresponding alert.
The details and criteria for that alert opens in Alerts. - Edit the alert rule to update its settings.
- To change the name, description or severity, click Actions
and select Edit name & description, then make your changes and click Save.
- To change the criteria, click Edit
in the appropriate panel, then make your changes and click Save.
- To change the name, description or severity, click Actions
- Close the details to return to the Manage Rules table in Alerts.
The default High Risk Employees rules monitor all users added to the High Risk Employees list for file activity. To stop monitoring specified users with the default rules, click Remove User

Step 3: Investigate employee activity
You can investigate suspicious employee activity from either an alert notification email you receive or directly in the Code42 console using the High Risk Employees list.
To investigate activity from an alert notification email:
- In the notification email, click View Alerts.
- Sign in to the Code42 console.
The Alerts application opens to a filtered list. - Review the details of that activity.
To monitor employee activity in the High Risk Employees list:
- Sign in to the Code42 console.
- Go to User Activity > High Risk Employees.
- Locate the employee in the list of employees and click View Profile
.
The employee's User Profile page appears and shows any file activity this employee has performed within the last 90 days.
Video
Watch the video below to learn how to review the file activity of users in the High Risk Employees list. For other videos in this series, see our Training course: Detecting risk with Code42 Incydr. For more videos, visit the Code42 University.
High Risk Employees default alert settings
When a user is added to the High Risk Employees list, they are automatically added to the default High Risk Employees alerts within Alerts. To see the default alert rules, go to User Activity > High Risk Employees > Alert settings > Manage rule. These alerts rules are listed below, along with their default settings.
In Alerts, you can create custom alerts to monitor file activity in your environment. However, users added to the High Risk Employees list only trigger default High Risk Employees alerts. To manage both custom alerts and default High Risk Employees alerts, go to Alerts.
For more information about how to change the High Risk Employees default alert settings, see Change default alert settings.
Remove an employee from the High Risk Employees list
- Go to User Activity > High Risk Employees.
- Locate the employee in the list.
- Click Remove employee
.
- In the confirmation message that appears, click Remove employee.
The employee is removed from the High Risk Employees list.