Skip to main content

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

HOME
GETTING STARTED
RELEASE NOTES
FAQs
APIs
SYSTEM STATUS
Code42 Support

Create and manage alerts

Who is this article for?

Incydr
Code42 for Enterprise
CrashPlan for Enterprise
CrashPlan for Small Business

Incydr, yes.

CrashPlan for Enterprise, no.

Code42 for Enterprise, yes.

CrashPlan for Small Business, no.

This article applies to Code42 cloud environments.

Overview

This article explains how to configure alert rules. Use rules to define your alert thresholds and who will be alerted when important data may be leaving your company.

When an alert is triggered, it appears on the Alerts > Review Alerts screen. 

Video

Watch the short video below to learn more about alerts. For more videos, visit the Code42 University.

Considerations

  • To create and manage alerts, you must have roles that provide the necessary permissions. We recommend you use the roles in our use case for investigating suspicious file activity.
  • This functionality is available only when supported by your product plan. Contact your Customer Success Manager (CSM) for assistance with licensing, or to upgrade to the Incydr Advanced product plan for a free trial​​​. If you don't know who your CSM is, email csmsupport@code42.com

  • You must connect at least one cloud service to Code42 to see cloud-related file activity. 

Differences in file event counts
File events for Forensic Search and Alerts appear within 15 minutes of the file activity, while file events in the Risk Exposure dashboard and the User Profile may take up to an hour to appear. As a result, you may see that the file event counts in alert notifications and Forensic Search differ from the event counts in the Risk Exposure dashboard and the Departing Employees and High Risk Employees User Profiles.

Create a rule

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. Click Create Rule and select the rule type: 
    • Filename or extension
      Alerts you about activity involving files with specific filenames, extensions (such as TAR, ZIP, or CPP), or words within a filename (such as "forecast" or "sales").
    • Exposure on an endpoint
      Alerts you based on file activity on an endpoint. This kind of activity also appears on the Endpoint Activity tab of the All activity view and Endpoint activity over time view on the Risk Exposure dashboard.
    • Cloud share permission changes
      Alerts you when a file stored in a cloud service becomes publicly accessible. This kind of activity also appears on the Cloud sharing tab of the All activity view and Cloud sharing over time view on the Risk Exposure dashboard.
      Note: This rule type is not available in the Code42 federal environment.
    • File extension mismatch
      Alerts you when the contents of a file don't appear to match the file extension for a file involved in exfiltration activity. For example, a ZIP file has been renamed to a PNG extension.

Filename or extension rule

Exposure on an endpoint rule

Cloud share permissions changes rule

File extension mismatch rule

Review alerts

When an alert is triggered, a notification appears on the Review Alerts tab. You can add a note to an alert, review and dismiss alerts, or use the filters to search for alerts that have been dismissed to reopen them.

Code42 only alerts you about untrusted activity
Code42 automatically filters file events to alert you only about activity that occurs outside the domains you trust. While Code42 still records all file activity (and you can view it in Forensic Search), you will not be notified by alert rules when file events occur on domains you trust. Go to Settings > Data Preferences to update trusted domains settings as needed.

Video

Watch the video below to learn how to review alerts. For other videos in this series, see our Training course: Detecting risk with Code42 Incydr. For more videos, visit the Code42 University.

Add a note

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. For any alert, click View details button to see file event details.
  4. In the Notes panel, click Add note.
    If the alert already includes a note, click Edit Edit to edit the existing note. 
  5. Enter the note and click Save. You can also delete a note entirely by deleting the note's text and clicking Save.
    Your note is added to the Notes panel in the Alert details. Code42 automatically saves and displays the username of the last person to edit the note, along with the date and time it was edited. Click Expand note to view long notes.

Review alert notifications

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. For any alert, click View details button to see file event details. 
  4. (Optional) Select a status to identify the state of your investigation into the alert.
  5. (Optional) Add a note (or edit any current note) to provide more details about the alert.
  6. (Optional) Click Send email to start an email to the user requesting more information about this activity.
    You can customize this email as needed after it opens.
  7. (Optional) Click Investigate in Forensic Search to see the files for this event in Forensic Search.
  8. (Optional) When you're done reviewing the alert, click Dismiss alert to remove the notification. 
    If you select the Dismissed status, Code42 automatically dismisses the alert and removes it from the list of open alerts. Click Reopen alert to reopen the alert and change its status, if needed.
Dismiss multiple notifications at once
To dismiss multiple notifications at once, select the checkbox next to one or more notifications and click the Dismiss Alerts button that appears at the top-right of the list of notifications.

Dismiss alert notifications from the Review Alerts table

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. For any alert, click Dismiss alert Dismiss alert button. When the menu opens:
    • Select Dismiss to dismiss the alert.
    • Select Dismiss with note to add a note to the alert and then dismiss it. Enter your note (or edit the existing note) and then click Save and dismiss.
    The notification is removed from the table and entered into the list of dismissed alert notifications.

Reopen dismissed alert notifications

  1. Sign in to the Code42 console
  2. Go to Alerts > Review Alerts.
  3. Click Filter Filter icon and apply the Dismissed status to show alerts that have been dismissed.
    1. When the Filters panel opens, under Status, clear the Open checkbox and select the Dismissed checkbox.
    2. (Optional) Select any other criteria to further filter the list of alerts that are returned.
    3. Click Apply.
      You are returned to the Review Alerts table and only the dismissed alerts that meet any other selected criteria are listed.
  4. (Optional) Click Reopen Alert Reopen alert button to reopen a notification:
    • Select Reopen to reopen the alert.
    • Select Reopen with note to add a note to the alert and then reopen it. Enter your note (or edit the existing note) and then click Save and reopen.
    The reopened notification is removed from the table and returned to the list of open alert notifications. To view open notifications, repeat step 3 above and select the Open status.

Create a rule based on another rule

  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule that you want to copy.
  4. Click Actions Actions and select Make a copy.
  5. Make any necessary changes to your new rule.
  6. Click Save.
    The new rule is added to the list of rules.

Edit a rule

  1. Sign in to the Code42 console
  2. Use Alerts to select the rule to edit.
    • To edit a rule from an alert notification:
      1. Go to Alerts > Review Alerts.
      2. In the list of alerts, select the alert notification to view.
      3. In Alert details, click the Edit rule link under the rule name.
    • To edit a rule in the Manage Rules table:
      1. Go to Alerts > Manage Rules.
      2. In the list of rules, locate the rule and click Edit Edit.
  3. Update the rule's details and criteria.
    • To change the name, description, or severity, click Actions Actions and select Edit name & description, then make your changes and click Save.
    • To change the criteria, click Edit Edit in the appropriate panel, then make your changes and click Save.
  4. Close the details to return to the Code42 console.

Delete a rule

Deleting a rule stops those alerts
Deleting a rule stops all alerts for that rule for all users. Any previous alerts for the rule remain on the Review Alerts tab.
  1. Sign in to the Code42 console
  2. Go to Alerts > Manage Rules.
  3. In the list of rules, locate the rule that you want to delete. Note that you cannot delete a default alert rule from the Departing Employees list or the High Risk Employees list
  4. Click Actions Actions and select Delete.
    A confirmation dialog appears.
  5. Click Delete Rule.
    The rule is removed from the list and all future notifications for that alert are stopped. 

Default alert rules and notifications

If you add an employee to the Departing Employees list or the High Risk Employees list, you may see "Departing Employees" or "High Risk Employees" alerts and rules. Code42 automatically creates these rules to alert you of suspicious activity from employees that are actively monitored in those applications. 

The default Departing Employees and High Risk Employees rules:

Enable or disable default rules

  1. Select Detection > Departing Employees or Detection > High Risk Employees.
    You cannot enable or disable a default alert rule within Alerts.
  2. Click Alert Settings.
    The Alert Settings for that list opens.
  3. Click the slider to enable Enable alerts or disable Disable alerts alerts. When enabled, the alert is turned on for all employees listed in that application.

Edit default alert rule settings

From one of the lists

  1. Select Detection > Departing Employees or Detection > High Risk Employees.
  2. Click Alert Settings.
    The Alert Settings for that list opens.
  3. Ensure that the alerts are enabled. 
  4. Click Manage Rule for the corresponding alert rule. 
    The details and criteria for that rule opens in Alerts.
  5. Edit the alert rule to update its settings:
    • To change the name, description or severity, click Actions Actions and select Edit name & description, then make your changes and click Save.
    • To change the settings or notifications, click Edit Edit in the appropriate panel, then make your changes and click Save.
      To add or remove users from the rule, you must add or remove them from the corresponding list.
  6. Close the details to return to the Manage Rules table.

From Alerts

  1. Go to Alerts > Manage Rules.
  2. In the list of rules, locate the default rule and click Edit Edit.
  3. Update the rule's details and criteria:
    • To change the name, description, or severity, click Actions Actions and select Edit name & description, then make your changes and click Save.
    • To change the settings or notifications, click Edit Edit in the appropriate panel, then make your changes and click Save.
      To add or remove users from the rule, you must add or remove them from the corresponding list. Likewise, default rules can only be enabled or disabled in Departing Employees or High Risk Employees.
  4. Close the details to return to the Manage Rules table.
  • Was this article helpful?